GJIA - Cyber Issue I by GJIA (Georgetown Journal of International Affairs)

Georgetown Journal of

International Affairs

International Engagement on Cyber Establishing International Norms and Improved Cybersecurity

Georgetown University Institute for Law, Science, and Global Security

insert

UPC bar here

E dmund A. W alsh S chool

F oreign S ervice

$10.00

usa

Georgetown Journal of International Affairs

Forward

Lieutenant General (Ret.) Brent Scowcroft

Panel 1: National Security, Law Enforcement, and Deterrence

Panel Chair: General (Ret.) Michael Hayden Panelists: Rep. Mac Thornberry (R-TX), Wing Commander Thomas Parkhouse, Lieutenant General (Ret.) Charles Croom, Richard Roberts, Shawn Henry

Panel 2: Cybersecurity, Economics, and a Healthier Ecosystem

Panel Chair: Dr. Greg Rattray Panelists: Koenraad Gijsbers, Eneken Tikk, Andy Purdy, James Mulvenon, Jeff Carr

Panel 3: Public-Private Collaboration Models Globally

Panel 4: National and Global Strategies for Managing Cyberspace and Security

Panel Chair: Melissa Hathaway Panelists: John Nagengast, William Guenther, Eric Werner, Phyllis Schneck, Kristjan Prikk

Panel Chair: Hon. Franklin Kramer Panelists: Michele Markoff, Robert Butler, James Lewis, Gao Fei, Alexander Klimburg

101

Introduction: Strengthening the Norms of State Responsibility CATHERINE LOTRIONTE

Cyberspace has made the global community more interconnected than at any time in human history. With its numerous benefits, however, come significant risks to both states and non-state actors. In order to mitigate these risks and ensure the security of the cyber domain, states must come together and establish a normative framework of state responsibility in which diplomatic and military actions can be undertaken effectively.

110 The Five Futures of Cyber Conflict and Cooperation JASON HEALEY

The Internet has changed dramatically over the past several decades and will surely continue to evolve in years to come. The author explores five possible futures of cyberspace - Status Quo, Conflict Domain, Balkanization, Paradise, and Cybergeddon - and discusses what each might entail for future generations of Internet users.

118 The Stuxnet Enigma Implications for the Future of Cybersecurity IRVING LACHOW

In July 2010 an incapacitating computer virus wiped out 60 percent of Iranâ&#x20AC;&#x2122;s computer network, effectively crippling the countryâ&#x20AC;&#x2122;s uranium enrichment capabilities. Little is known about the exact source and purpose of Stuxnet, but the attack has awakened the international community to the very real dangers that even nation-states face in the cyber domain. The author argues that similar attacks are very likely to occur in the future, and offers recommendations to policymakers for mitigating their effects.

[ i]

127

Responding to Sub-Threshold Cyber Intrusions A Fertile Topic for Research and Discussion HERB LIN

Adversarial actions take many forms in cyberspace. It is often difficult to attribute an attack or exploitation to a particular culprit in the cyber domain, and there is currently no clear threshold for determining a government’s response to an attack. The author explores several different types of cyber intrusions, discusses how they are unique from kinetic operations, and presents a response framework for the U.S. government.

136

Cyber Security: An Integrated Governmental Strategy for Progress FRANKLIN KRAMER

As both the public and private sectors become increasingly reliant on the Internet, maintaining security in cyberspace is emerging as a national priority. The author outlines a comprehensive approach to improving cybersecurity that would prioritize governmental efforts to use resources more efficiently and increase the prospects for success.

151

Criminal Public-Private Partnerships Why Can’t We Do That? RON PLESCO AND PHYLLIS SCHNECK

Cyber threat actors operate all over the world and evade detection and prosecution by utilizing a complex web of cyber tools. In order to combat cyber threats, the public and private sectors must come together and combine resources. The authors discuss the National Cyber Forensics & Training Alliance, a non-profit organization that draws on private industry, academia, and law enforcement organizations to neutralize the threats posed by cyber criminals.

157

Counterinsurgency in Cyberspace JOHN MILLS

Over the past decade, irrational non-state actors have moved to the forefront of international conflicts and have defied the way that nation-states combat adversaries. Cyber insurgents are no different, and pose a particularly significant threat to both state- and non-state actors because of the cyber domain’s low cost of entry and the the veil of anonymity it provides. The author draws on lessons from military counterinsugency operations and presents a strategy for national security professionals to combat insurgents in cyberspace.

163

Creating the Demand Curve for Cybersecurity MELISSA HATHAWAY

The Executive Branch faces numerous complex challenges in a variety of domestic and international arenas. Strengthening our information security posture is certainly one of them, and the Administration must take a bold approach to accomplishing this end. The author presents a unique strategy for strengthening cybersecurity, recommending that the Executive Branch should call upon three independent regulatory agencies - the SEC, FCC, and FTC - to support our information infrastructure and protect American enterprise.

171

The Whole of Nation in Cyberpower ALEXANDER KLIMBURG

National governments must project power in cyberspace in order to remain relevant and ensure their security in this increasingly important domain. In order to adjust to the challenges of exercising cyberpower, governments must work with a wide range of actors in the private sector and civil society. The author draws on collaborative models from ground operations in Iraq and Afghanistan and discusses the various ways that national governments can coerce, co-opt, or convince non-state actors to cooperate with them.

[ii] Georgetown Journal of International Affairs

Contents

180 Civilizing Cyberspace TOM KELLERMANN

Cyberspace is not a peaceful environment. Threat actors abound and will target individuals, companies, and entire nations. Establishing and maintaining effective cybersecurity requires cooperation between the private and public sectors. By collecting and sharing information about cyber criminals and those who enable them to operate, defensive public-private alliances will be able to “connect the dots” between cyber attacks and their perpetrators.

185 China’s Cybersecurity Challenges and Foreign Policy GAO FEI

China’s economic growth has spurred an explosion of Internet use among the Chinese population, but the country’s efforts to maintain cybersecurity have not kept pace. As both the target and source of numerous cyber exploitations, China is a critical actor in the global cyber domain. The author discusses some of the cyber-related challenges that the Chinese government faces within its own borders as well as its posture towards other nations’ policies.

191 Protecting the National Interest in Cyberspace KOEN GIJSBERS AND MATTHIJS VEENENDAAL

As a country with one of the highest levels of Internet penetration in the world, the Netherlands has made cybersecurity a major priority for both the government and the military. The authors discuss the country’s cybersecurity strategy and argue that public-private partnerships, better understanding of the nature of cyber attacks, and greater investment in creating skilled cybersecurity specialists are all necessary for combating future cyber attacks.

197 All Done Except the Coding: Implementing the International Strategy for Cyberspace

MATTHEW G. DEVOST, JEFF MOSS, NEAL A. POLLARD, & ROBERT J. STRATTON III

In May of this year, the Obama Administration released its International Strategy for Cyberspace, which aims to enhance prosperity, security, and openness in the cyber domain. The authors argue that the strategy is necessary as the Internet continues to gain importance for both the public and private sectors, but that much needs to be done in order for it to be effective. Highlighting key decisions and actions that must still be made, the authors offer recommendations for implementing the Administration’s plan successfully.

209 The Geo-Political Strategy of Russian Investment in Facebook and Other Social Networks JEFFREY CARR

Over the past two decades, three powerful individuals have fueled the exponential growth of the Russian Internet. They have invested millions in social networking outlets such as Facebook and have created a wide range of Internet services companies and sites of their own. With strong ties to the Russian leadership, however, these men actually serve the interests of the Kremlin, and may support efforts to limit freedom of information and quash political opposition.

216 Privacy Assurance J.C. SMART

In order to protect its citizens from the numerous threats that exist in cyberspace, the U.S. government must collect, process, analyze, and share volumes of information among its agencies. The government’s oversight and monitoring increasingly conflict with its constitutional protections of individual liberties, however, and may infringe upon the privacy of innocent individuals who use the Internet. The author proposes a unique Privacy Assurance model that would use a “black box” to protect user information while sifting out patterns of reasonably suspicious behavior on the Internet.

[ iii]

Georgetown Journal of International Affairs

Editor-in-Chief

Michael B. McKeon

Article Editors

Julia Famularo, David Gregg, William Handel, Sikander Kiani, Alexandra Lazorchak, Ryan McKinstry, Medha Raj, Elizabeth Saam

Business Manager Elizabeth Livengood

David Abshire, Susan Bennett, H.R.H. Felipe de Borb贸n, ADVISORY BOARD Joyce Davis, Cara DiMassa, Robert L. Gallucci, Lee Hamilton, Peter F. Krogh, Michael Mazarr, Fareed Zakaria Anthony Arend, John Esposito, Christopher Joyner, UNIVERSITY COUNCIL Charles King, George Shambaugh, Robert Sutter, Charles Weiss, Jennifer Windsor

[iv] Georgetown Journal of International Affairs

The

Georgetown Journal of International Affairs would like to thank the following supporters S piros D imolitsas S enior Vice -P resident for R esearch & Chief T echnology O fficer Georgetown University for his support for the CyberProject and his vision for the university

Dr. Catherine Lotrionte Executive Director Institute for Law, Science, and Global Security Director Georgetown University CyberProject

The Institute for Law, Science, and Global Security Georgetown University

The Atlantic Council

Matt Angelo, Georgetown University Damien Wilsons, The Atlantic Council

This issue of the Georgetown Journal of International Affairs is dedicated to the memory of Dr. Christopher Joyner, former Director of the Institute for Law, Science, and Global Security, who served Georgetown University for twenty-two years.

[ v]

Notice to Contributors

Articles submitted to the Georgetown Journal of International Affairs must be original, must not draw substantially from articles previously published by the author, and must not be simultaneously submitted to any other publication. Articles should be around 3,000 words in length. Manuscripts must be typewritten and double-spaced in Microsoft™ Word® format, with margins of at least one inch. Authors should follow the Chicago Manual of Style, 15th ed. Articles may be submitted by e-mail (gjia@georgetown.edu) or by U.S. mail; those sent by U.S. mail must include both a soft copy on a compact disc and a hard copy. Full names of authors, a two-sentence biography, and contact information including addresses with zip codes, telephone numbers, facsimile numbers, and e-mail addresses must accompany each submission. The Georgetown Journal of International Affairs will consider all manuscripts submitted, but assumes no obligation regarding publication. All material submitted is returnable at the discretion of the Georgetown Journal of International Affairs. The Georgetown Journal of International Affairs (ISSN 1526-0054; ISBN 0-9824354-2-8) is published two times a year by the Edmund A. Walsh School of Foreign Service, Georgetown University, 301 Intercultural Center, Washington, DC 20057. Periodicals postage paid at Washington, DC. Annual subscriptions are payable by check or money order. Domestic: $16.00; foreign: $24.00; Canada: $18.00; institutions: $40.00. Georgetown Journal of International Affairs, Subscriptions Edmund A. Walsh School of Foreign Service 301 Intercultural Center Washington, DC 20057 Telephone (202) 687-5696 Facsimile (202) 687-1571 e-mail: gjia@georgetown.edu http://journal.georgetown.edu All articles copyright © 2011 by Edmund A. Walsh School of Foreign Service of Georgetown University except when otherwise expressly indicated. For all articles to which it holds copyright, Edmund A. Walsh School of Foreign Service permits copies to be made for classroom use, provided the following: (1) the user notifies the Georgetown Journal of International Affairs of the number and purpose of the copies, (2) the author and the Georgetown Journal of International Affairs are identified, (3) the proper notice of copyright is affixed to each copy. Except when otherwise expressly provided, the copyright holder for every article in this issue for which the Georgetown Journal of International Affairs does not hold copyright grants permission for copies of that article for classroom use, provided that the user notifies the author and the Georgetown Journal of International Affairs, the author and the Georgetown Journal of International Affairs are identified in the article, and that proper notice of copyright is affixed to each copy. For reprinting permission for purposes other than classroom use, please contact Georgetown Journal of International Affairs, Permissions, Edmund A. Walsh School of Foreign Service, 301 Intercultural Center, Washington, DC 20057. Telephone (202) 687-5696. Facsimile (202) 687-1571. The views expressed in the articles in the Georgetown Journal of International Affairs do not necessarily represent those of the Georgetown Journal of International Affairs, the editors and staff of the Georgetown Journal of International Affairs, the Edmund A. Walsh School of Foreign Service, or Georgetown University. The Georgetown Journal of International Affairs, editors and staff of the Georgetown Journal of International Affairs, the Edmund A. Walsh School of Foreign Service, and Georgetown University bear no responsibility for the views expressed in the following pages.

[vi] Georgetown Journal of International Affairs

Forward

We live in a most dynamic time for innovation and collaboration among individuals, organizations, and governments. It does not take a cyber expert to realize that the Internet has become a part of our daily lives. But technology has continued to outpace the development of applicable laws and policies. This gathering marks a significant step toward much needed dialogue among stakeholders Over the past two decades, our dependence on cyberspace has grown exponentially to encompass both our economic prosperity and social wellbeing. Still, the same mechanics that enable such prosperity simultaneously contribute to threats in this domain. Technology permits us to communicate instantly throughout the world and gives us access to libraries of information at the touch of a key. These same tools have also put us at risk because terrorists and criminals also interact in this domain. This is not just an American problem; it is a universal problem. Gatherings of stakeholders will be critical to furthering cooperation on an international scale, as cyberspace knows no borders. It is clear that the global community is not organized to compete with the cyber threat nor is it keeping pace with developing technology. Therefore, we must invest in partnerships between public institutions, private industry, and a mix of the two. Considering its longstanding technical leadership in this field, the United States has an opportunity to take the lead—working with partner nations—on international norm development. The international community must also commit to creating better organizations and capabilities to improve cybersecurity through both technical and legal means. One of the great challenges for international cooperation in cyberspace is the inability of governments to confront their own domestic cyber problems. We have learned from the Cold War that communication and engagement are critical to avoid massive destruction. Cyber weapons have the potential to wreak havoc on societies across the globe, and, as with many new weapons technologies throughout history, some governments are attracted to this new “super-weapon.” But this weapon’s effects are truly global. In the twenty-first century, leaders must move away from a classic deterrence model and toward a cooperative approach, as cybersecurity involves not only governments, but also industry and individuals. Ultimately, engagement is a process. If we fail to address growing concerns among nation-states and individuals about security in cyberspace, we will surely experience great loss. To protect its interests, governments ought to develop well-defined doctrines for activity in this domain, including peacetime and times of conflict. My hope is that my granddaughter will continue to experience the benefits of technology and live prosperously in a truly global village

Brent Scowcroft

[1]

Panel 1: National Security, Law Enforcement, and Deterrence REP. MAC THORNBERRY (R-TX): Well, I appreciate the opportunity to

be here, and I appreciate Georgetown and the Atlantic Council hosting this conference. Being a member of Congress, I need to keep things simple. And besides, you’ve got plenty of smart, experienced people on this panel and in the panels to come. But just to start with basically a simple question, which is, to me: has technology and cyberspace presented a new, fundamentally different kind of challenge to national security? I think you heard General Scowcroft answer that question in the affirmative. I think it’s also in the affirmative when it comes to crime. It’s also in the affirmative when it comes to espionage. It’s also in the affirmative, by the way, when it comes to political activism. I guarantee you, every person running for office is doing fundamentally different things with their campaigns than they were just a few years ago. So, if it’s a fundamentally different kind of challenge, the second question is: are our laws, policies and regulations keeping up with this new challenge? And I think, on this question, there is virtually unanimous agreement that in the United States, and to different extents, around the world, we are not. And yet, while we fiddle, our vulnerability continues to grow. And yet, to – and so that means we need to take action; to take action means going through the political process. And I guess my primary point today is that we can’t let the perfect be the enemy of the good, considering that whatever happens with laws and regulations and policies, even if it doesn’t go through Congress, or if it does go through Congress, has to have a political component factored into it. Obviously, we’ve got significant challenges in doing that. An attack could be crime, it could be vandalism, it could be political expression, it could be terrorism, it could be a cyberattack. The problem is, you don’t know what’s happen-

[ 3]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

ing at the time it is occurring. And yet, for our government, and I suspect for other governments, different agencies are responsible for dealing with each of those different kinds of attacks. We’ve had two hearings so far this year in my Armed Services Subcommittee just asking the question: what is the responsibility of the Department of Defense to defend the private sector in cyberspace? We think that the answer is pretty clear if we have a fleet of bombers coming to bomb the Houston Ship Channel. It’s not so clear if we have a fleet of packets coming through cyberspace to disable those same facilities. And so some of these fundamental questions have to be dealt with. A second challenge, of course, as Shawn just mentioned, is the difficulty in attribution and the effective absence of geography causes all sorts of challenges when implementing our laws, and when dealing with basic concepts such as deterrence and retribution. A third challenge is, in the United States, we certainly have a good, healthy dose of American skepticism, with more government power knowing more about our lives and intervening into some of the most personal part of our lives. And in cyberspace, whatever we do has to be decided ahead of time, because it happens at light speed, so the rules of the road have to be in place before it actually happens. And that affects the amount of trust we are willing to give our government, of whatever agency, in what – in dealing with our privacy and other sensitive information. We have different expectations of privacy than, I think, others, and that makes setting international standards on some of these issues more challenging.

[4] Georgetown Journal of International Affairs

A fourth area of concern is that to deal with cyber, obviously you have to have a sort of cooperation and interrelation between government and private industry that I won’t say is unique for us, but it is certainly unusual for us. And that presents its own set of challenges. So, the point is, whether you look at these items, or a dozen others we could list, some sort of political calculation – political, I don’t mean partisan, I mean taking the sentiments of the people and our political institutions into account. It is tempting, I know, to get everybody in this room to agree on the master plan to deal with cybersecurity. And we could all go in the back room and we could trot out a 2,500-page bill, and we could ram it through Congress. But then, we might have to grant a thousand waivers in the first year exempting a variety of folks from ever having to comply with those provisions, and meanwhile everybody in the country is becoming more and more disillusioned that we do not have a clue what we’re dealing with to begin with. Now, we’ve been down that road in other fields, and it’s not a good way to proceed procedurally and it’s not a good way to proceed substantively. But steps are important. We can’t let the perfect be the enemy of the good. My personal view is that some steps we can begin to take now include looking for encouragements for private industry to elevate their level of cybersecurity – looking at a toolbox full of carrots and sticks that would help encourage greater emphasis on this problem at the highest levels of private industry. Secondly, I think we ought to look at facilitating the use of the tools that the military uses to defend military networks to defend critical infrastructure.

International Engagement on Cyber

And there is a pilot program along that line which is just beginning. Third, I think we need to examine and update a whole variety of laws which have not kept up with changes in technology. Melissa Hathaway, in her review at the beginning of the Obama administration, identified dozens of laws that have not kept up with the changes in technology. And I believe it’s our job in Congress to go through, one by one, looking how we can update. Some will be more controversial than others. Some with be more helpful than others. But as we go through those individual laws, I think we can help, again, elevate the general level of security which we face. The speaker of the House has asked me to coordinate an effort across all committees to see that something gets done on cybersecurity. I think he sat through one too many intelligence briefings to believe that we can continue to go with business as usual, having just about every committee in the House – and I’m sure the same is in the Senate – but just about every committee in the House having some responsibility for cybersecurity, and as a result nothing has happened, year after year after year. So something – I am optimistic that I think something will occur this year in Congress. I think it needs to – we need to acknowledge that the free market alone will not solve our cybersecurity issues but whatever we do should be consistent with free market principles to allow that private sector innovation to continue. Congress should try to raise standards without setting standards which will be an obvious target for the hackers to target in on. And we certainly ought to look for examples where government can lead by example – too often, it has not done so.

But I also think that everyone should be flexible about legislative vehicles, whether it’s one bill or whether it’s a dozen. The important – again we can’t let the perfect be the enemy of the good – the important thing is to take some action, as General Scowcroft was describing with nuclear deterrents – feeling our way along, step by step, moving out in the right direction. I think we’re doing to do that this year in the United States. And I think on an international level we can make a greater contribution there as well. So I’ll look forward to your questions. Thank you.

WING COMMANDER THOMAS PARKHOUSE: Good morning. I’d like to echo the words of Shawn and the congressman in thanking Catherine and the General for opening, and I’d also like to echo the congressman’s words. My name’s Tom Parkhouse, I’m a member of the Royal Air Force in the U.K. I’m currently working in the Ministry of Defence and as of Friday I will be part of our cyberpolicy unit that forms up as the funding starts for our national cyber program. Briefly this morning – before we get into the panel questions, which I’m really looking forward to – what I’ll do is I’ll briefly outline our national cybersecurity program, which I think will – you’ll see has lots and lots of parallels with what you’re doing here. I’ll talk very briefly about what we’re doing in defense, and if we want to get into that in the panel discussion again I’ll work from that. And then I’ll sort of go a little bit off-(piece ?) and take my life in my hands by coming up with a few of my own ideas on deterrence and international norms. Probably with the – I’ll say

[ 5]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

now – with the aim of provoking some questions – provoking some discussion and seeing where we go from there. So the key messages from the U.K. at the moment on cybersecurity is that we believe that with the U.S. – and with most of the nations here represented – we have a common perspective and we’re recognizing that this is a priority area. Cyberspace is vital for the prosperity of the U.K. and it is vital for our way of life. It brings opportunities to business and to our population, but, as has already been said here this morning, it brings threats – threats from cybercrime, threats from espionage, threats from terrorism and potentially threats from warfare – all of which must be addressed. Last year in October our government announced 650 million pounds of new money – whatever that is – to bring about a transformative national cybersecurity program. This program was derived from – or brought into highlight by our strategic defense and security review and in our revised national security strategy. Cyber was recognized as being one of the top four national security threats, alongside terrorism, natural hazards and major accidents. And, of course, it won’t be lost that for two of those cyber is actually quite possibly a major part of them. The program is going to be managed and brought together by our Office of Cyber Security and Information Assurance – which itself was created after the issue of our first national cybersecurity strategy, which was issued now almost two years ago. Interestingly, the issue of our national cybersecurity strategy didn’t make the headlines in the press in quite the way we expected because unfortunately its announcement coincided with the death of Michael Jackson. (Laughter.) [6] Georgetown Journal of International Affairs

As I said, OCSIA, the Office of Cyber Security and Information Assurance, has been charged with overseeing, prioritizing and coordinating the centralized funding and implementation of the cyberplan. And how these measures that have basically now been funded and are going through business cases at the moment – how these things are going to fit together will be subject to a revised national cybersecurity strategy that’s going to be published in the next few months. The key points – and again, I don’t think these issues will be lost amongst you – is that we absolutely accept that cyberspace is complex. That is the heart of why this is difficult. And therefore, improving our cybersecurity requires a multifaceted approach which is going to involve all government departments, all government agencies, working in close cooperation with industry and academia, and of course our population. The types of things that are covered in our cyberprogram include tackling cybercrime – this is – this, we see as probably the most insidious risk at the moment. Our Minister of Security has emphasized that she sees this as the most insidious risk – the thing that the population is most likely to suffer, and therefore most likely to make it scared of using computer systems – taking advantage of our online services – is cybercrime. And we’ve just announced that we’ve doubled the staff focusing on cybercrime in our police department. But, you know, hidden underneath the banner of doing cybercrime is actually making sure we have a clear definition of what we mean by cybercrime, because these days almost every crime has a component that involves a com-

International Engagement on Cyber

puter – be that the coordination of the crime, be that in the inception of the crime, be that in the surveillance for the crime, be that the research for the crime. The second sort of pillar of our approach is reducing our vulnerability to cyberespionage and state-led threats. And again, we’ve got to get to a point where we understand what is the information of national importance – how are we protecting it? And this is not – this is not particularly a conceptual argument, but actually an argument of organization, because even once you’ve identified what information is important, you’ve then got to be able to track it. You’ve got to be able to track its movement between departments, between agencies, out into industry, out into subcontractors, out into the – what you would call the mom-and-pop business – I’ve said that right? – or what we call the small- or medium-prized enterprise – small- or medium-sized enterprise. And particularly – that’s all right when it’s top down, but what about when it’s bottom up? So there’s lots and lots of work to be done there. We have got to do – and this is going to require international effort – far more on our situational awareness. You’ve got to be able to describe what it is that’s going on. You’ve got to be able to show the population the risk. You’ve got to be able to show politicians and parliament the risk. Close to the home for me, we’re establishing the defense cyberops group, which I’ll come into in a bit more detail later – the critical infrastructure is obviously in there. We’ve got to get the approach to be coherent – lots and lots of good work going on everywhere – but we’ve got to make sure that, again, it’s not seen as a vulnerability and how

that vulnerability propagates. It’s actually about how you deliver cross-government capability, national capability, and looking at it from an alternate perspective. All of this is going to require close partnership with the private sector and with other governments. Our prime minister has met with industry; he’s had them round for – the key members of industry, and not just cyberindustry, but broad industry – had them in and asked them, you know, how they see this as going and how we can work, you know, together with industry. And then, the final pillar, which is probably one of the most important, is improving our national skill sets, education and awareness. Very briefly on the defense cyberops group, let me just talk about some of the developments on our capability here. We are – we have now put into the public domain that we are working to develop tests and validate the use of cybercapabilities as a potentially more effective and affordable way of complementing our delivery of our tasks. We have said that we will always act in defense of our national interests in this area. We are – the defense cyberops group and the defense element of the plan is bringing together how we improve our capabilities, how we mainstream this in defense, how we make sure our organization’s specialists are right, and how, once our program ends, how we make sure this becomes part of normal business. As I’m getting time warnings, I’m very quickly going to just move on to the few things that I wanted to throw out there for the discussion: deterrence. Really, really important subject, lots to talk about. There are many lessons we can learn from the nuclear deterrence [7]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

debate, I’m quite sure. But as somebody whose, you know, humble backgrounds was as a cop, I also think that there’s a lot we can learn from the crime prevention environment as well. Crime prevention doesn’t sit alone. It relies on investigation, prosecution, punishment, rehabilitation as allies. It’s about tailoring it to circumstances. But crime prevention has to deal with multiple actors, full and varied ranges of capabilities. It has to deal with very, very different levels of intent and ambition. It has to deal with those actors having different aims, in terms of the effects, or the things that they achieve. It has to deal with people who want to create fear, who want to destroy things, who want to have financial grain – gain, sexual gratification, surveillance of future stuff. So, crime prevention is a really – is a good model to be looking at as well as nuclear deterrence. The second thing, I just want to say, on developing international norms – and I obviously note the fact that the U.K. is hosting an international intergovernmental conference in the autumn, and I note the comments that William Hague made at the Munich security conference about a month ago – you know, international norms is going to be hard work. Cyber, as I’ve said before, is complex, and it’s built on a quickly shifting set of definitions, concepts, policies, technical skills and just technical change. So – and those changes are not synchronized around the world. So, international norms are going to be really, really difficult in doing that. And sort of the final thing I’ll say is about macro versus micro. International – this is personal view – inter-

[8] Georgetown Journal of International Affairs

national norms are going to be one thing to create – to states, transnational bodies, multinationals and everything else – but international norms have to also be about the individual. They have to be about the user, be that user, you know, the average person who is just at home doing their business online, be it about somebody who might be criminally motivated, be it about the young person, the juvenile, who is starting to test the boundaries of their world. One – but one – and so we’ve got to get this macro-to-micro thing right. In the U.S., you have local policemen who deal with local issues. How are you going to deal with those same really tiny issues when they’re being affected across the world? I’m going to stop there. I look forward to the discussion and I’ll promise to keep my comments in the discussion shorter than my comments now. Thank you.

LIEUTENANT GENERAL (RET.) CHARLES CROOM:

Well, good morning – and good morning, General Hayden. I thought I had missed the fine print that we could do this panel virtually. But no, you’re here, and so we can’t. I must admit I’m a little bit edgy and nervous this morning being back on a Georgetown University campus. I’ve never really excelled on university campuses, but I am sitting next to a distinguished congressman – thank you, sir – and it is a little disconcerting though that the FBI is on my right and Interpol’s on my left. I didn’t speed too much coming in here this morning. Well, how many folks have been to cybersecurity conferences before? Yeah, it’s – so over the weekend, I was really concerned about, well, what can I possi-

International Engagement on Cyber

bly say that’s new and different? And I’m sitting there Sunday morning watching the snow fall on the cherry blossoms, and I was wondering to myself, well, did cybersecurity really cause this too? This climate change? I don’t know. But I did get the opportunity in that cold morning to read an article that is the theme of this presentation. The article was the “Rise of a Cybered Westphalian Age,” written by Dr. Demchak and Dr. Dombrowski, taken out of the Strategic Studies Quarterly in spring of 2011. Now, I didn’t go to Georgetown, so the reason this article intrigued me is I had no clue what the Westphalian age was. Any hands on that? Well that – yeah, see you’re smarter than I was. The Treaty of Westphalia, 1648 – what could that possibly do with cyber? You know, it ended the Thirty Years’ War, right? So, if you didn’t know anything this morning, you know that. It also ended the Eighty Years’ War between Spain and the Dutch Republic. The treaty resulted in the first really modern diplomatic congress, initiated a new political order in central Europe based upon the concept of a sovereign state governed by a sovereign. So that was the first 15 pages, and I’m still wondering, well, what’s this got to do with cyber? Well, there were a lot of conclusions out of this treaty, some of it dealing with religion, but I’ll just skip down to – it also was a general recognition of exclusive sovereignty of each party over its lands, people and agents abroad to include the fact that a sovereign state had the responsibility for the warlike acts of any of its citizens or agents. Well, that might apply now as we see cyber movements coming out of countries to other countries with no one

held responsible. Well, we’ve wondered about this. You know, the cyber – is it a global commons? Is it the fifth dimension, as the military would say? Air, land, sea, space and cyber? Is it the frontier? Is it the Wild West? Well, just a side note – the White House came out with a policy statement in the last few days that clarified that totally. It said it’s not a cyber domain, it’s not a war-fighting domain, it’s not a military domain, it’s not an operational domain, but it is cyberspace. And so that’s now what they’re going to officially call it – really to take, I think, the military out of that definition. A neutral term, cyberspace. Well, no frontier lasts forever, and no freely occupied global commons extends endlessly where human societies are involved. Sooner or later, good fences are erected to make good neighbors. And so it must be with cyberspace. So that’s the theme. Fences, borders – does that really add value to cyberspace? Well, let’s talk about that. Today, we are seeing the beginning of border-making process across the world nations in cyberspace. All states, in one way or another, will reach out to control what they fear from the Internet, to control their borders, protect their citizens and their economies. We kind of see that today in China as they’ve stood up their Golden Shield; Australia, with the ISPs; perhaps the U.K. a little bit. Well, in this Westphalian world, virtual borders and national cyber commands are normal elements of a modern cybered government. Well, why is this? Well, frontiers, if you think about them, particularly as our American Wild West, are places of conflicts: poorly governed, lightly populated, where people grab and go in a lawless nature. [ 9]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

Being able to grab control is one hallmark of a functioning state, i.e., passports, custom controls at our own borders. When states cannot protect the capacity of this – the capacity of the state falls into question by those feeling threatened. After a Westphalian peace, the nation-state became the dominant form of social organization, codifying and enforcing rules, institutions, norms by which they interact with each other and the international society. For the last 362 years, we have been creating conditions supporting this gradual hardening of borders among states. I think there were good reasons for this. Let’s think about cyberborders. Cyberborders allow a distinction between forces defending the borders, i.e., military, and those protecting the individual citizens inside the nation from attack, i.e., police. Without borders, it’s difficult to define what those missions are. If cybersecurity is a mission involving military-like actions repelling attackers, well, cyberborders will have to be determined to guide when and where these actions can occur. Attacks across borders will become state responsibilities, whether or not the state approves or guides attacks. In closing, let me just say that today, we will cope with the emergence of cyberspace similar to the way we cope with any new frontier. Over time, cyberborders and emphasis on nationstates will enhance stability and security. Good fences make good neighbors. What has been carved out over centuries in the concrete world is not all that undesirable for societal stability, economic returns and international security in cyberspace. This transition, of course, seems to still lie ahead of us.

[10] Georgetown Journal of International Affairs

RICHARD ROBERTS: Distin-

guished guests, colleagues, ladies and gentlemen, good morning and thank you for inviting me to participate in your conference here today. This wonderful setting, Gaston Hall, has a rich history of serious debate and quality discussions, and I very much hope that I can contribute to the upkeep of that tradition this morning. My name is Richard Roberts. I’m the head of the information security branch of Interpol –or, more precisely, the Interpol General Secretariat. It’s going to be fairly tough, but I do hope that in just 10 minutes, I can explain to you a little more about what Interpol does, what Interpol is, and how Interpol can assist in ensuring cybersecurity on an international scale. Let me start by explaining very briefly what Interpol does. Contrary to what you might see in the movies or on television, Interpol is not a clandestine organization that runs around arresting people on sovereign territory or conducting covert missions or anything else of that nature. Nothing could be further from the truth. What Interpol actually does is facilitate police cooperation on an international level. In addition to what you might be aware of in terms of the Interpol wanted notices, we provide training capacity building to law enforcement domain; we provide operation support to investigators – for example, criminal analysis; we provide conferences and seminars, closed-door conferences, for specialist task forces; and various other programs that assist the global law enforcement community to prevent and detect serious international crime. But not only that, we host and we share

International Engagement on Cyber

amongst the Interpol community unique global databases of criminal and police information using Interpol’s secure global police communication system. And Interpol does this all over the world, even when no political or diplomatic relations may exist between countries. We bring the law enforcement community together on an international scale. Essentially, we connect police for a safer world. What is Interpol? Well, Interpol is an organization of member countries, 188 of them, who decided to work together in the field of international police cooperation. Think about that – in a world with, more or less, 200 recognized countries, Interpol can be used to communicate at any time with 188 of them. In fact, Interpol is its member countries. Member countries coordinate and cooperate through a network of national central bureaus, including the National Central Bureau of Interpol, Washington, right here in D.C. The logistics of such global cooperation and facilitation, the support, the tools, databases, are all provided by a sort of headquarters entity, known as the Interpol General Secretariat, and it’s based in France. There are several of their offices around the world. The General Secretariat is headed by Secretary-General Ron Noble, and is staffed by a diverse, multinational, multicultural, and multilingual workforce. This workforce has no active law enforcement role on any national territory. They essentially provide support to the Interpol organization – to our national central bureaus. It is the national central bureaus that perform the work on the ground, whereas the General Secretariat develops and oper-

ates the organization’s shared assets. Essentially, the national law enforcement communities of every Interpol member country operate independently, but under the umbrella of Interpol, respecting national sovereignty, jurisdiction, and legislation. Every member country operates a national central bureau, and the national central bureaus finance and resource Interpol. National central bureaus are staffed by citizens of the country on whose territory they are located. Now, that’s a little bit of useful background, but this is, after all, a conference about cyberspace, cybersecurity. So let me tell you that Interpol has long been involved in supporting cybercrime investigations and assisting the law enforcement community on a global scale. In fact, Interpol financial and high-tech crime, which includes cybercrime, is one of Interpol’s priority crime areas. And I apologize for the small, small writing there. But what does Interpol actually do in this area? Well, here’s some examples. Interpol produces regional trend analyses using its regional cybercrime working parties. We maintain an IT crime manual for law enforcement investigators. We work with certain vendors to counter different threats: for example, the threat of zombie networks and botnets that could be used to attack critical infrastructures. We’ve established a 24/7 network of national contact points for cybercrime issues in 120 of our member countries. We work with a number of organizations: the G8 high-tech crime group – excuse me – the International Organization for Standardization, ISO, the Forum of Incident Response Teams, and the European Network and Information [11]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

Security Agency, are to name but a few. And we host international closeddoor conferences and seminars on this subject for specialist audiences. As you can see from this slide, we have in the past arranged many training workshops and seminars. However, these tended to be fairly small events, and either focus highly on technical issues, or were very broad. But recently, we’ve expanded our work program to engage much more widely on cybersecurity matters. For example, the last event that Interpol hosted, the first Interpol information security conference, co-hosted by the Hong Kong police, was held in Hong Kong, China, in September 2010. Saw almost 300 participants from 53 countries as diverse as Rwanda, Saudi Arabia, the U.S., France, China, Mauritius and many, many more. We also had representatives from Harvard University, from the law enforcement community, from private corporations, NATO and other international bodies. And despite the diversity of the actors involved, the conference came together as a whole to make concrete recommendations. Concrete solutions to problems were found, and like-minded people from around the world built relationships that will help them to fight cybercrime, protect critical infrastructure and ensure cybersecurity. In essence, we can see from these recommendations that countries are asking for more assistance to build their own capacity in cybersecurity. But as first responders to incidents, our member countries, the law enforcement community in our member countries, want to be better able to contain incidents, to stop the attacks in real [12] Georgetown Journal of International Affairs

time, as well as being able to prevent and detect the perpetrators of cybercrimes in a somewhat slower time. And they’re asking for the global law enforcement community to develop standardized tools and techniques that will assist their investigations. And in part, based upon the recommendations of the last conference, Interpol is trying to enhance its role to better support member countries on cybersecurity initiatives. Interpol expects to be able to develop cuttingedge solutions to some of the toughest cybercrime challenges through its new Interpol global complex that is currently being established in Singapore. This initiative aims to tackle the shortage of expertise that plagues even the most developed nations. With this global complex, we hope to build much-needed capacity in this field, in particular, building computer forensics capacity by establishing a digital forensics laboratory and associated training programs. Essentially, Interpol is looking to merge the domains of cybersecurity, digital forensics, cybercrime investigations and information security into one global cybersecurity-focused function. But all of this takes money, and diverts resources from other crime areas. And this is why, in order to maximize the value of this initiative, the Interpol secretary-general is seeking funding to better equip and develop this program. Ladies and gentlemen, the chap in front of me here is telling me I have one minute left. So just let me remind you that Interpol is a network that already exists. It’s a proven quality, and it’s frequently used to engage internationally in many crime domains, including cybercrime and other serious crimes.

International Engagement on Cyber

Of course, law enforcement is but one piece of the larger security – sorry, excuse me – law enforcement is but one piece of a large cybersecurity paradigm. But it’s one that’s frequently overlooked. Being able to prevent, detect and ultimately prosecute cybercrimes is a fundamental building block on which to build a secure cyberspace and that will ultimately ensure the security of critical infrastructure and the world’s citizens. Interpol has many partners in this field. It’s already built an international engagement network that can be leveraged by member countries. So why not develop and use Interpol more frequently as one of your mechanisms to support international cybercrime investigations, and to help ensure a much more secure cyberspace? And although not a magic bullet, the use of Interpol really should be one part of any comprehensive national cybersecurity strategy. Now, I know that many of you are wondering how I can – how can I leverage Interpol? How can I access Interpol’s services, programs or support and this global network? Well, it’s very simple, three letters: NCB, your National Central Bureau. Your National Central Bureau is the door, the portal, to access all of Interpol’s services. And with that comment, I hand over to my colleague, Mr. Shawn Bray, deputy director of the Interpol National Central Bureau here in Washington. Thank you.

So with that in mind, let’s cover a couple of points he raised that I think are salient to the conversation this morning. And the first is the phrase “where diplomatic relations do not exist.” We’ve seen this time and time again, and it sounds like it’s counterintuitive, but really, this communication system works on a regular basis. What we’re finding out is, this is becoming a general and institutional method for international communications among law enforcement. This is the accepted method, they pass information routinely through us, at the NCBs, the National Central Bureaus – here it’s known as Interpol, Washington; in the U.K., Interpol, London; Interpol, Ottawa, and so on and so forth. What this does is afford us an opportunity to communicate in real time across the I-24/7, the Interpol communications network. It gives us an incredible multilateral outreach – 188 countries instantaneously and securely. Most of you have probably seen the colored notices – red notices pursuing fugitives in the international community. However, bilateral communications across that network are where we make our bread and butter. It’s us dealing one on one with other law enforcement agencies in other countries, or multilaterally among a group of agencies working on a similar case or investigation. If we look at the findings of recent cyberexercises over the past few years, SHAWN HENRY: You know, they underscore the need for reliwhen you get down to speaking, you’re able, well-placed and tested means toward the end of the panel, you kind of communication in a crisis. of hope to ride that wave, and then There are other forms of communiRichard gets up and dispels the entire cation that are certainly in use. Richmyth of Interpol right before I step up. ard mentioned the G8 and the 24/7

[ 1 3]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

network – I believe there’s 58 countries in that right now. Obviously, the network of CERTs around the globe. And certainly there are regional concerns as well. But this is the only truly global network for these purposes. The NCB represents the nation’s law enforcement Interpol, and often facilitates the national and private partnerships of that nation in the world community through Interpol. The NCB streamlines the flow of information and is the singular point of contact for all business. Interpol, Washington’s mission is quite simply to be the statutorily designated U.S. representative of Interpol on behalf of the attorney general. We facilitate international law enforcement cooperation and have done so since 1938 when we first joined. We’re codified under Title 22 of the U.S. code, and Title 28 of the code of federal regulations. Again, quite simply, it’s our responsibility and our mission to extend U.S. resources into the international community, and that’s U.S. resources from over 18,000 law enforcement agencies around the country. And we put those into 188 member states. The management structure of Interpol, Washington allows us a unique opportunity to examine the breadth of the Department of Homeland Security and the Department of Justice. In fact, we are co-managed. The director is currently a member of the U.S. Marshal Service, the Department of Justice; I am from the Department of Homeland Security and ICE. This also gives us incredible access to the rest of the U.S. community --Department of State, Department of Defense, and certainly state and local resources -- by having liaison offices in [14] Georgetown Journal of International Affairs

all 50 states, another 13-14 major cities, and of course all of our territories. So we can put information quickly and appropriately in the right at the right time. The U.S. NCB supports these communications on a 24/7 basis, 365 days a year. We see nearly 18,000 messages a month: inbound traffic accounts for about 14,000; requests from overseas, 4,000 as U.S. requests going out. Most cyberefforts that we see right now are currently tied to ordinary crimes that have been now transcended and committed online. We’re talking about scams, IPR issues, phishing, child pornography, harassment, and certainly humanitarian issues such as threats and suicide. Most of the requests we get are specifically tied to attribution: preservation of log information, subscriber information, notice and takedown requests, and certainly locates on fugitives. So how do we apply that? How do you access that information, if it’s law enforcement for law enforcement? Well, you start again by contacting the United States National Central Bureau. I’m going to give a couple of quick email addresses and a fax, and then I’m on a roll. He gave me five minutes – that means I could finish up five minutes early here. So with that in mind, if you hit interpol.washington@usdoj.gov, that goes straight into the command center. Again, they will triage that information, get it in the right hands at the right time. They get information into the hands of the – across the federal government and they can drill right down to a local cop in a local shop. We also have a fax number that’s generally open to the public: 202-6168400. Now, we obviously maintain a lot of public and private partnerships and

International Engagement on Cyber

we continue to do so, and we certainly encourage you, if you have any issues you believe we can assist with, to reach out to us. There’s never been a question of too small – or certainly not worthy of comment or assistance. With that in mind – like I said, I promised to keep this brief and I will turn it over to General Hayden.

GENERAL (RET.) MICHAEL HAYDEN: Well, good morning, and

I am Mike Hayden, former director of NSA and CIA, and apologize for being late. I think we’ve all come here to learn; I’ve certainly learned a great deal already. For example – don’t assume that you can allow yourself two hours to get from McLean to Georgetown – (laughter) – on a day in which Congress is coming back from a 10-day recess. This is a fascinating topic and one that deserves great study, and you can already tell from the commentary we’ve heard so far this morning that each of us are kind of picking up a relatively familiar lens through which to look at this new thing. And we’ve heard a law enforcement lens – if you get me talking too much, it’ll be the lens of armed conflict, based on my military experience. We’ve already heard suggestions of sovereignty being perhaps a useful lens – the treaty of Westphalia – and then of course there’re a whole bunch of adherents out there that think of this as a global commons, as an area that is characterized by the lack of borders. I think we’re picking up the familiar lenses because this thing is so new. It is so different. It is the most disruptive thing for our species since – and when I have to fill in that blank the one I hit up on is, since European man’s discovery of the Western Hemisphere. I can’t think

of anything that has changed so many things, so completely and so rapidly – cyber domain has – in our history – has to go back to the Age of Exploration. By the way, I said that to bunch of folks in Las Vegas at the Black Hat conference a summer or two ago and they seemed to accept, yeah, it’s pretty dramatic and that wasn’t a bad analogy, until – (inaudible, audio break) – one gentleman approached me after it was all done and said, that was a brick shy of a load. That he actually thinks that this is more like mankind’s development of language in terms of how much it will affect not just our external environment, which is kind of what my analogy suggested, but man’s own cognition, which is what he suggested. So here we are, with something that’s moving very rapidly, really big, tremendous implications and we’re struggling to cope with its meaning. I have sat at a small office 17 blocks east of here with small group of folks where we had a cyberproblem and a cybercapability to deal with the problem, and absolute indecision, because we lacked a coherent policy framework in which we could place that which we were proposing to do. We simply weren’t comfortable with the precedent we may or may not be setting. As I mentioned, former director of the National Security Agency, I know the fourth amendment very well – protect Americans against unreasonable search and seizure. It began on my watch, as we began this struggle. I know it’s continuing on Keith Alexander’s watch. What constitutes a reasonable expectation of privacy on the global network in the 21st century? What is the American social contract with regard to that question I just proposed to you? [ 1 5]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

And I think the answer is, we have no idea. This is so new and so disruptive. Even this whole question of, what is this space? The questions are so fundamental. Charlie mentioned the domain. And coming from the Department of Defense, I mean it just rattles off the tongue – land, sea, air, space, cyber. It’s a domain. Frankly, the paper that General Croom referred to that said we will no longer call it a domain was so stark and so – it’s going to sound uncomplimentary – contorted in its logic, so that we would not use the word domain, that I still think that this may be from The Onion – (laughter) – rather than from the West Wing. We have to fundamentally decide as a people what it is we think of this new thing. I’m going to use the word domain because I haven’t figured out what else to call it. And if you look at – if you look at American pronouncements with regards to this new thing, frankly, the only one who has begun to speak definitively about it has been the secretary of state. And if you look at this as kind of a binary choice – and that may be a false choice but bear with me – between free intercourse and free movement – the commons – and the need for security, the secretary of state keeps shading over this way. Now, look, I understand that freedom of movement in the cyber domain is not mutually exclusive with security, but they don’t really come to the merge real strongly either. And that one can indeed be it at the expense of the other. So those things that we may want to implement for our own security, I think at the highest policy level we’re reluctant to do so because we legitimate that tool for other nations whose intent for using it is beyond security. It’s for censorship. [16] Georgetown Journal of International Affairs

And so what General Croom, I think quite correctly, lays out as a workable theory, the application of Westphalia to this new domain – you have others who will point immediately to that kind of movement and call it the Balkanization of what is naturally a human universal generalized space in which we should work. These are really fundamental questions and sessions like this help develop the national dialogue which one would hope would lead to the national consensus as we move forward. In any event, it’s exciting to watch, and it’s certainly game on. And with that I will stop, and it’s now your turn to question and to comment on what’s gone on before. Thank you all very much.

(Inaudible,

audio

break.)

GEN. HAYDEN: It sounds like it’s

– that question has a bit of a martial air about it, so with my DOD experience I’ll run at the first cut. The thing that strikes me about that – and I’ll get specifically to the question in a minute – but the way you frame it, I think, brings up a very interesting point. We are incredibly sloppy with our language when we talk about this thing. We very facilely describe anything unpleasant that happens to us on the Internet as a cyberattack, and I have to tell you, those who are actively involved in doing that on behalf of American security have much more narrow definitions of what constitutes attack. Let me just say about the taxonomy very quickly, you’ve got – you’ve got cyberdefense, I think we’re familiar with that. Cyberexploitation, and for whatever purpose that might be -- industrial espionage, state-sponsored espionage –

International Engagement on Cyber

it’s just stealing data. Then you have cyber disruption. There I’d kind of throw in Estonia and Georgia where it’s kind of a cyber-on-cyber attack, and the victim of the attack was the network. And then finally you’ve got Stuxnet, and I view Stuxnet as being really, really groundbreaking in terms of this taxonomy of what happens on the net. Here’s a cyberattack whose effect was not just a cybersystem. Here’s a cyberattack that actually created – if you can believe what you read in The New York Times – that actually created physical effects. That it actually created physical destruction through cyber means. I think that’s crossing the Rubicon, and sets in motion a whole bunch of questions, other questions for which we have not yet developed answers. And I’ll stop; others, I’m sure, will have comments.

REP. THORNBERRY: Well, and I

would just add I think a lot of folks had their oh-my-goodness moment with Stuxnet because, as General Hayden said, it’s not just destroying data in a computer or disrupting the operations of computers, it is physical consequences outside of the computer, which takes it to a whole different level. And so I think a lot of eyes are being opened. The only other thing I’d mention is read the L.A. Times yesterday. Physical consequences in a water treatment plant were an exercise, but it was easy to have the effect of changing the chemicals that went into the water. So I think we’re just beginning to have all our eyes opened as to the physical manifestations of what could be done and therefore how vulnerable we are.

WING CMDR. PARKHOUSE:

I think what’s interesting about Stuxnet and the related high-profile-style incidents is if the incident itself is obvious to the general population or if the victim themselves goes public about the incident, then there is a large population out there across the world that has the intent and the capability to investigate it to the best of their ability and to publish what they find. And therefore, as the perpetrators of something like that, you may not be relying on the well-established norms of the state – in terms of what’s said and published, and everything else – you may be dealing with lots and lots of small- or medium-sized thrown-together organizations, forums, whatever – that themselves will do an investigation, and you don’t know where that’s going to go. So I think that’s what’s been interesting about GhostNet, Stuxnet and everything else. It’s that the citizen-journalist, the citizen-investigator, is out there and they’ll make sure that perpetrators, those are also held accountable or at least – at least talked about.

Q: A very quick follow-up survey. Could

you fill your – raise your hand if you think that that attack would have been legal for the U.S. to do under U.S. law? (Laughter.) OK. (Laughter.)

GEN. HAYDEN: No, whoa, whoa,

wait. It would have required a finding from the president and, under espionage law, Title 50, I could see circumstances – and I’m not saying that these circumstances existed – but I could see circumstances in what such – in which such an action would be well inside U.S. law and the president’s authority. [17]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

Q: Hi, my name’s Juan Ricafort. I’m an eliminate it. I believe our government undergraduate senior here in the School of Foreign Service with the science, technology and international affairs program. My question is about the applicability of Westphalian or military domain models to cyberspace, specifically, how do these models reconcile the fact that one of the most important and distinguishing and, some would argue, valuable – characteristics of cyberspace is that not only was it created by humans, but it is still being created by humans. For example, when we came out with Web 2.0, social media – services like Twitter – I would say that, in a sense, we pushed the boundaries of cyberspace or we created a new subdimension of it. I would say that this is partially somewhat different than other frontiers that we’ve dealt with in the past. And my question is, if we put up fences to tame this frontier in the way that we did with the Wild West, for example, do we risk decapitating the openness and generativity of the Internet and cyberspace which are part of what make it so valuable and worth protecting in the first place.?

needs to work with our Internet service providers, establish them as gateways and have them eliminate much of the garbage that comes into our nation, and I think other nations can do the same. It won’t impact privacy. We need to provide some protection for those ISPs, as they do that. But I don’t see any reason why that can’t be done and be a first step.

GEN. HAYDEN: I take your point

about the nature of the Net and of the five domains. The first four were made by God, and frankly, I thought he did a better job than we’ve done here. There’s another inherent characteristic of this fifth domain that makes it more difficult for folks who’ve kind of been at work where Charlie and I have been, inside the armed forces. I’m creative enough to either know an historical example or to imagine a future example in which future conflict in one of the other domains is entirely contained in that domain: Battle of Gettysburg, land domain; Battle of Britain, air domain; and so on. That’s by definition not true in the LT. GEN. CROOM: I’ll start with cyber domain. And that’s actually one it. Thank you for the question, not of – remember those -- mentioned that I have the right answer. First of all, those sit room meetings, where you’re reference it being man-made, seems to trying to figure out what to do and it me to make it even easier to establish has policy implications – it’s easy to gateways that traffic can move in and think of this as a video game. But when out. Two, we see examples of Austra- you take any action in this domain, this lia, for example, with their work with fifth one, something happens in one their own Internet service providers, of the other four. There is a physical which are the gateways into the Aus- effect even if it’s on a server, and that tralian local area network – let’s call server is in someone’s currently soverit – where they can control this stuff. eign space. And that adds an additional My personal view is there’s no reason complication, an additional distinction for botnets. Our Internet service pro- between this domain and the other four. viders see that type of activity, they can [18] Georgetown Journal of International Affairs

International Engagement on Cyber

LT. GEN. CROOM: I would add the Internet technology – the basic tech– seems to me all the domains are different: land, sea, air, space, cyber. In the sea we have laws of the sea to provide control and some guidance and governance. General Keys was mentioning to me this morning the example of the FAA. As we travel through air space, we have rules that dictate our use and govern our capabilities through that. So it seems to me if you want to protect citizens right, a good economy, you’ve got to have a minimum set of governance to allow that to happen. Thanks.

nology or its logical extensions and follow-ons – then it would be considered part of the Internet even though it might be disconnected. So wouldn’t it be troubling trying to set legal norms and, as a lawyer and having worked with United Nations’ groups, to try to have another parallel universe under some other label? Now, it’s just a general observation; I appreciate your reflections.

WING CMDR. PARKHOUSE: I

think – in developing the U.K. definition of cyberspace, and we’ve worked Q: Good morning, my name is Patrice closely with allies on that – one of the Lyons. I’m an attorney in Washing- key – the key facets of the definition has ton, D.C., and I’ve worked with the to include its interaction with the social folks that brought you the Internet; space – the interaction with people – I was counsel for – oh, almost 30 and I think that’s a really, really imporyears now – Corporation for National tant part of it. And cyberspace is actuResearch Initiatives. I’m sensing a little ally – is characterized by it being almost -- problems with definitions from per- a mirror of our life. You know – and son to person, as you were talking. I think, therefore, you can’t just treat Now, for a lot of years, we’ve been cyberspace as a technical issue and theredoing research on management of fore having technical remedies to it. So, that said – and then it’s like all informations expressed in digital these things in this area – I’m not forms, and the information can be completely disagreeing with – you can of a wide variety, whatever you choose make steps in the technical areas, but to express, and it’s capable of being represented in digital form. And you that’s not the whole problem. The can secure things at that level, and it whole thing is this is actually, you know, moves beyond sort of the port-specific- replicating society and it’s the – it’s type DNS systems of today. That said, replicating the interconnectedness of I also go to a lot of meetings in other society. It’s replicating the dependency countries, especially United Nations in society, and I think when people gatherings on Internet governance. are using sort of the phrase “cyber,” I’m finding it troubling trying to under- that they’re using “cyber” to represtand – and that’s one reason I came today sent that set of opportunities and risks. – why we need the concept of cyber when we’re really talking about digital infor- Q: But that’s actually my point. You’ve mation and managing that information. actually made my point very well, and the Some will say, well, you know, it’s gentleman from Interpol – he said some behind our firewall. Well, if you’re using of the things that come along. I started [ 1 9]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

as a copyright lawyer. The notice and take-down – it is actually that dimension, the human dimension of interaction – what you do with the technology, not so much as the technology itself, the technology would be enabler. So I agree with that, but I’m still troubled by why you have to have a different label. But I think I’ve made my point.

cyber is, however, a stellar example. You don’t know what you’re dealing with, whether it’s crime, espionage, terrorism or warfare, as those packets come hurtling through cyberspace. But, I’m also – having been involved in creating the Department of Homeland Security and various other – and also the DNI office – I also don’t think organizational reform is the end-all, Q: Roger Kuhn, science adviser to the be-all, and sometimes it even sets you United States Navy Fleet Cyber Com- back a little bit. I still think creating mand, commander 10th Fleet. I guess the Department of Homeland Secuthis question is primarily focused at rity was a good thing to bring those 22 the congressman. Given the fact that different agencies all where they can some people would contend that the be working off the same page rather joint military concept was not estab- than scattered all over the government. lished until the establishment of But I don’t see a massive cyber agency Goldwater-Nichols legislation, would to deal with this; that just crosses too you contend that in order to facili- much. So we do have to get, in my view, tate interagency cooperation with those more coordination stemming from very many three-lettered agencies there OMB, GSA – kind of those crosscutneeds to be a Goldwater-Nichols two? ting agencies that help the government And if that thinking hasn’t been – improve its own cyberspace. But we’re come about within Congress, would going to have to have it where Departthere need to be some breach or some ment of Homeland Security works with kind of tragedy, like the hostage res- Cyber Command, works with FBI, othcue debacle associated with the Iranian ers, in order to be as effective as we crisis, to necessitate said legislation? want our country to be in cyberspace. I don’t know whether that needs a REP. THORNBERRY: There Goldwater-Nichols two but it darn has been a fair amount of discussion sure means we can’t live in stoveabout Goldwater-Nichols two taken pipes, and we can’t make turf proto the interagency level. And really, it tection the end-all, be-all – which is has come about in my experience not part of which has prevented action so much when talking about cyber but in Congress over several year period. when talking about our efforts in Iraq and Afghanistan – how do we get all MR. HENRY: I’d add that while cerof the agencies to bring their resourc- tainly there’s a lot of room for improvees to bear so that the military doesn’t ment, and we can always do better, have to do everything, essentially. there’s actually been quite a few successes And there’s been a fair amount of with – in the interagency process with the frustration about that. As I men- coordination between the intelligence tioned in my comments, I think community, FBI, DHS, DOD and oth[20] Georgetown Journal of International Affairs

International Engagement on Cyber

ers. There’s been quite a bit of success. Some of the other speakers earlier talked about criminal aspect of this – the criminal element in terms of prevention. But a lot of the collaborative efforts among the community has allowed us to collect intelligence and share intelligence with the private sector to actually prevent some of these – some of these attacks. So while there’s always room for improvement, there’s actually been quite a bit of success in the interagency process, particularly in the last three years.

Q: One final question. General Hayden

talked about the uniqueness of the fifth dimension, so that if something happens in cyber it affects the other four dimensions. As a scientist, I characterize that cyber covers every medium that can support the propagation of electromagnetic radiation. As such, given its electronic warfare capability, would you characterize an F-35 fighter, for example, as a cyberweapon?

GEN. HAYDEN: Sounds like a mil-

itary question. (Laughter.) I’ll start and ask General Croom to move forward. It begins to get fuzzy. But when you think – but when you think of the capacities we’ve put aboard F-35s or even F-22s in addition to everything else it is, it does become a really capable node on the network. And it’s useful and – no, it is useful to think about it that way. Sorry to be long about this, but – OK, go back to – let’s do signals intelligence. All right, and we used to – we used to think of collecting those signals from earth being somewhat different than collecting those signals from space. That’s a very 20th century, industrial age way of looking at the problem. I

think the 21st century way of looking at the problem is that that is a unified network and the fact that one happens to be in orbit is an interesting fact – but not compelling – in terms of how you consider it. We’re kind of moving in that direction with some of these very capable platforms now – that in addition to what it is they began life as, they’re now nodes on a network.

Q: Hi, Neal Pollard, adjunct professor

at Georgetown – until recently I was a U.S. government officer. I have a question for the whole panel; I welcome your perspectives in each of your current or official roles. In my understanding in the evolution of Cyber Command, General Alexander now wears two hats – both Title 50 intelligence officer authorities at a very, very senior level and also Title 10 combatant commander levels. What opportunities or benefits do you see deriving that are truly new from such an arrangement – again from all of your perspectives – and what issues do you see that ought to be managed or that arise from this arrangement? Or is this something that’s really not new?

LT. GEN. CROOM: All right,

thank you for the question. I think it’s just an evolution of maturity of where we’re going. Prior to U.S. Cyber Command we had offense and defense split – I was the commander of the defensive side, the JTF-GNO; the JFCC network warfare was under General Alexander. We all believe that a good defense contains an offense, that offense informs defense. and I think to facilitate the ability to better communicate and to better tie those together the U.S. Cyber Command was created. [ 21 ]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

Along with U.S. Cyber Command came a structure underneath U.S. Cyber Command that we call components. Army, Navy, Air Force and Marines bring their own capabilities to that so there is a formal military structure – command and control structure – that I think not only is wiser because it can inform each other but can also act faster because it’s better streamlined.

GEN. HAYDEN: I was – I was the

JFCC-NW commander, which was the forerunner to Cyber Command when Charlie was – the defensive squad at DISA. So I totally agree with how he’s drawn the picture. That said, I think we’ve set in motion a dynamic, one that I support, but one that has byproducts. All right, General Alexander now is a four star – because he is Cyber Command commander, not because he is director of NSA. And NSA – the National Security Agency – produces about half the intelligence America gets in any 24 hour period. There will be a dynamic that General Alexander’s character as a Title 10 combatant commander will consume more and more of his and the entire structure at Fort Mead’s energy as time goes on. Perhaps just reflecting my own background, one needs to be careful that one sustains what used to be done and used to be called full-time day work at Fort Mead, which is an intelligence function. I would be surprised if we ever again – since the director of NSA and the director of Cyber Command are now the same human being – I would be surprised if we ever again see a career intelligence officer in that job because the Cyber Command, four star, Title X function will become increasingly dominant. [22] Georgetown Journal of International Affairs

WING CMDR. PARKHOUSE: I think one thing that I’d add to that is that in terms of the national capability, it is all on a continuum. And I just, you know, I think – many people would disagree – but just add in the crime bit, the law enforcement piece is also on that continuum. And you’ve got to have a smooth integrated system that can move through law enforcement, intelligence and the war fighter, if you’re going to tackle this problem effectively.

REP. THORNBERRY: And that

– as we were talking a while ago, we can’t live in a stovepiped world, the world is not neatly divided into Title 10 and Title 50, so I think this helps break down some of those walls, where the information you receive on one hand can be used to defend right then, rather than going through an interagency process. I think that’s positive.

Q: Champa Soyza, from the School of

Continuing Studies Technology Management Program here. I wondered if you can comment about the difficulties of bringing to task criminals where the cybercrime originating countries – where it’s not a crime to do, for example, hacking and so forth. I imagine there’s a lot of difficulty, you know, when crime goes across international borders. And who would be, you know, the body to be responsible to assign, you know – bring these people to task?

MR. HENRY: So I – from the FBI’s

perspective – it’s a great point. Almost every case that we see at this point, and that – just let me preface it by saying, in the FBI, I wear two hats: I’ve got a criminal responsibility under Title 18, but I

International Engagement on Cyber

also have a national security authority as well against foreign intelligence services and terrorists. But from – specifically from the criminal side, much of what we see has some international nexus, and we work cooperatively on a regular basis with a lot of nations in sharing of intelligence, and sharing of information that allows us to be (actioned ?) and to actually have a mitigation on the adversary. Regardless of whether it’s a crime in a foreign country, a crime against U.S. interests is a crime here in this country. Now, that certainly creates some concern, because you may not get responsiveness from the host government. The FBI, with our legal attaches, we’ve got representatives in over 60 countries around the world. We work very, very closely throughout the international community to bring our resources, the USG resources, to bear against our adversary. I’ve also found that, in the last few years – five years, perhaps – many countries have actually changed many of their cyberlaws. There’s been great coordination at the international level, in the European Commission and elsewhere – many international venues – and countries have started to change their laws because they see this as an emerging threat. It’s not only a problem with their citizens attacking U.S. interests, it’s a problem with their citizens that are attacking their interests within their own nations, and they see the reciprocity and they recognize the impact on their economies from the growing crime problem, where criminals who have traditionally worked in the physical world have migrated their tactics to the cyber environment, and that they’ve got to keep pace with that emerging threat.

So we’ve seen some great cooperation, great international coordination. We’ve actually deployed agents into five or six foreign police agencies, specifically to work these cybercrimes. Coordination is done with the FBI, with Interpol – we’ve got some of our agents that are deployed at Interpol with the Department of Homeland Security and others. But there is a, I think, a very big, growing coordination in international environment.

WING CMDR. PARKHOUSE:

Great point. I think that the – this is one of the challenges of international (norms face ?). You know, just as the Council of Europe Convention on Cybercrime, you know, recommends, is that every nation needs to have a similar law that outlaws what you’re talking about. And nations have to have the capability to deal with it, especially when it’s down at the, you know – and this was sort of set up at the podium as I was rushing at the end – especially at the point of when it’s small, when it’s those first crimes that people start to do, those precursor thing, activities that people start to do. Nations have to actually focus in on that before it starts becoming an international problem.

Q: I’m Josh Burgess, work as a cyberintel-

ligence analyst for a miscellaneous government contractor. (Laughter.) We’re seeing with RSA and HBGary that everything is getting, you know, much more in the open. Cyberattacks are becoming much more prevalent, and they’re not – they’re not against little things here and there where they’re attacking, you know, government contractors who provide cybersecurity. So we’re moving the level – you know, in Air Force terminology, [ 23]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

we’re moving beyond BDU-33s; we’re talking about Mark 84s at this point – heavy weaponry being dropped. What point are we going to start attributing, you know, at least announcing that we know who this is that’s attacking us, and start making a move towards, not mitigating it, but, you know, make a move towards doing something back?

REP. THORNBERRY: Well, I

think that’s what we’re trying to move toward, and using some of the tools that the military uses to defend its own networks to defend other (networks ?). And critical infrastructure is what most people say we ought to start with. But it is exactly the sort of question you posed that I posed at some of my hearings. So, for example, if Visa and MasterCard start getting attacked because of decisions they made regarding WikiLeaks, does the government have responsibility to help protect them from those sorts of attacks? And again, I think, we just haven’t grappled with some of these questions, and we are kind of inching our way that direction. So, for example, the pilot program that is just beginning would begin to defend some of the defense industrial base, using those kinds of tools. And then we have to look at all our – are our laws and policies consistent with defending U.S. companies and interests when they get attacked through cyberspace. So I don’t pretend that we have all the answers, but I do believe, as your question implies, we need to be moving out, trying things, taking steps in the right direction to provide greater security.

MR. HENRY: I think it was Gen.

Scowcroft who talked about defin[24] Georgetown Journal of International Affairs

ing the red lines, which is one of the major issues that was identified in the Comprehensive National Cybersecurity Initiative, and that is a critical policy issue. How do we define the red lines? We talked earlier about – I did, and General Scowcroft – about the nuclear issue, and then we knew who our adversaries were: if there was a missile being launched, we knew who the adversary was and it was very easy to respond. The attribution is a very, very difficult part here, and while we do have attribution in many attacks, the response that you – sounds to me that you’re recommending or suggesting requires almost certainty in a – prior to a response. And that is a very, very difficult issue, but it certainly is something that’s being discussed right now in the broad USG.

Q: Hello, my name’s Mike Zebrelein.

I’m a digital investigator, also with a cleared defense contractor, which is a, you know, a very important element of our national defense, national security. I want to key on – key in on the last word of the title of this panel, and that’s “deterrence.” I’d like to ask the panel why you think, over the past the eight to 10 years, deterrence has utterly failed with regard to the Chinese hacking threat pillaging our country’s innovation. And what type of measures do you think would be effective enforcing our will on adversaries to ensure that that deterrence actually works. Would it be something with regards to challenging foreign denials of hacking attacks by actually providing our attribution intelligence and essentially shutting them up in proving to them that we have the knowledge of their activities? Or would it be such as, we’ll suffer through

International Engagement on Cyber

attacks and move instead from cyberdefense, which has failed in my opinion, to retribution-style attacks where we incur consequences, either from a political, technological, or economic means of employment as a way of deterring these attacks? Because right now, as a digital investigator, I see a tremendous amount of things, and in – as a personal citizen and a, you know, a member of this country, it’s extremely concerning to me and it makes me worry about our future in the next 20 years.

Q: Don’t you think – don’t you

think, though, that the term “stealing data” – don’t you think minimizes the impact that this is truly having on our economy? It’s gone beyond military and government but pervaded into our commercial sector as well.

GEN. HAYDEN: I don’t question that at all. Fundamentally, nation-states steal other nation-states’ information; it is accepted international practice.

Q: Well then, I guess the question would GEN. HAYDEN: I’ll jump in be, then, what would be deterrents? very quickly. There’s a lot of things to mention. I’ll just mention two. One, deterrence, already suggested, depends on attribution. Attribution is devilishly difficult in this domain. The second, most of which you’ve described, I would put in that box of stealing data: exploitation as opposed to bringing down networks through creating physical destruction. Generally what I say when people bring up really malevolent actors – you asked of the Chinese – in stealing reams of data, I kind of respond more as the former director of the National Security Agency, I have to say – not that there’s anything wrong with that, OK? (Laughter.) CSIS did a study among first-world citizens with regards to who they feared most in cyberspace, and mostly had to deal with that one box – exploitation, the stealing of data. China was high ranking but not at the top. We were. And so I guess what I suggest when folks bring that up is, adult nations steal information from one another, and steal my secrets, shame on me, not shame on you. It requires greater defense on our part.

GEN. HAYDEN: Oh, let me let

other

folks

comment,

OK.

REP. THORNBERRY: Well I guess

I would say I’d think this is an area which I would perhaps classify as protection of intellectual property rights, where there could and should be greater international cooperation. That doesn’t mean you’re going to prevent every theft of information coming from wherever – and attribution is obviously a key problem here – but I do think, as the global economy has evolved, that through the WTO or some other mechanism, there has to be ways to put greater international norms and greater protection on intellectual property. And I think this is a way – this is one of those areas where international cooperation could be fruitful. Not that it’s easy, but it could elevate the standards a bit.

Q: Hi, I’m Ellen Nakashima with The

Washington Post. And I’d like to take us back to the Stuxnet case, which I think is a great case that we could even do an entire panel on. It’s sort of the red line [ 25]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

moment; I think it helps us – could help us clarify some of our policies and our thinking. So my question is simple. If a Stux-like – Stuxnet-like attack were to occur on us and centrifuges were being destroyed, would you consider that an act of war? And if so, what sort of response would you advocate? And I’d like at least Generals Hayden and – General Hayden, maybe Congressman Thornberry and anyone else to weigh in please.

I think a very good first step would be a national declaratory policy as to how we would consider – and then fill in the blank – but one of the blanks would be physical destruction caused by cyberactivity. And my instincts are the national policy should be we would consider it to be the same as physical destruction caused by physical activity. But we have not yet said that.

What was the question? No. (Laughter.) Ellen, I wouldn’t begin to try to determine whether or not one would consider it an act of war. I just wouldn’t.

lems that we keep talking about – if you can prove who did it, if there is physical destruction – then my inclination – trying to not be a lawyer here –

Q: Why not?

Q: You are one, aren’t you?

REP. THORNBERRY: I think GEN. HAYDEN: Me? (Laughter.) that’s true. With the attribution prob-

GEN. HAYDEN: No, I don’t REP. THORNBERRY: I’m a have the legal background to make those kinds of – to make those kinds of distinctions. I’m sorry, there was another element to your question.

If you did consider it an act of war, what sort of –

GEN. HAYDEN: Oh, no, I understand. The answer is, I don’t know. And the reason I can say that with some authority is we have no national declaratory policy with regard to this kind of activity against us. And frankly –

Should

have

one?

recovering lawyer – (laughter) – and it’s been a long time since I really practiced law. But my inclination is if you cause physical effects in the country through cyberspace or dropping a bomb – the same effects – then it’s a similar sort of activity. But again the point I mention on the hearings that I’ve held this year is because I don’t think we’ve grappled with these questions. What do we consider an attack, or what is an appropriate response; what is our policy for dealing with such things –

What degree of attribution do you think we should have?

GEN. HAYDEN: Absolutely. Abso- REP. THORNBERRY: Seventylutely, and we should make it very clear I missed General Scowcroft’s comments but apparently he talked about red lines. In my comments I talked about – this is so new the big ideas haven’t yet formed. [26] Georgetown Journal of International Affairs

six?

Q: Seventy-Six point five? OK. REP. THORNBERRY: Yeah.

International Engagement on Cyber

Q: And is there any type of response that should have – with respect to what goes

on in the financial industry where a lot of it is really a digitized exchange REP. THORNBERRY: No, I’m of information crossing many, many on the never rule out options team. borders – thousands, millions of times in any given second around the world. And wondering what kind of policy Q: Nuke them? the U.S. has with respect to that. Having REP. THORNBERRY: So don’t seen your very clear statements yesterday rule out options – and the rest of the on “Andrea Mitchell Reports” – which story is, mostly likely in an incident I appreciate, thank you very much – I it’s not the only thing going on in the certainly want to hear from you as well. world. There are – there is another context to put this cyberevent in, and so part GEN. HAYDEN: I’m sorry – I of the challenge is to look at that broader mean, what are you specifically asking? context and where this event fits in that. And this requires some subtlety, a Q: Specifically asking is, what is our lot of information – best you can get currently policy with respect to the from your intelligence organizations, – we’ll call it generally the finanalthough they may not have all the answers cial industry – obviously being a very for you. And again, breaking it down by strong cornerstone of our economy – stovepipes is not the way we’re going to in terms of the cyber world? Simply be able to deal with this. So I think that because – far ahead of other indusis some of the challenge that not only tries, really – it has existed in a cyber our government but other governments environment for a much longer time. are going to have in the days ahead. GEN. HAYDEN: Yeah, OK, a couGEN. HAYDEN: We’re going to be ple of generalized observations since able to take only one more question. you threw the question specifically at me. Number one, I’m pretty comfortQ: Good morning. My name is H. T. able with the statement: The market Narea, and I’m a recovering invest- has failed. Market forces alone have ment banker. (Laughter.) So I under- not convinced American industry to stand the feeling. I spent about two do sufficient things to protect themdecades at J.P. Morgan Chase but am selves. The best reasoning I can give having a very nice experience being you is by analogies. Last year in governan adjunct professor at the gradu- ment we’re dealing with Somali pirates ate School of Foreign Service here. – an amazing thing in its own right Given that background, my question – one of the first questions asked in is: In terms of the financial industry, the Situation Room was, what’s the priwhich, as we’ve seen in the past few years, vate sector doing? And the answer was, it is part of national security for this the private sector’s paying $20,000 to country, the interaction that a Cyber Lloyds of London per hull and getCommand may or may not have – or ting on with their life. In other words, you would rule out, or would you favor –

[ 27 ]

PANEL 1: NATIONAL SECURITY, LAW ENFORCEMENT, AND DETERRENCE

they were accommodating the problem rather than attempting to deal with it. Frankly, I think that’s a fairly accurate description of what the private sector is doing with regard to cyber threats. We are hampered in doing what you suggested by, I believe, overclassifying cyber-related information – not just in government, but in the private sector. In government it is truly classification, and this may seem odd coming from a former DIRNSA – director of NSA – but I think it’s badly

[28] Georgetown Journal of International Affairs

overclassified within government. But industry is no better. Industry doesn’t share information enough to write – and industry, sometimes illegitimately, sometimes not so much, is reluctant to share information with the government. If we’re to arrive at common actions based upon common policies, there has to be a common understanding of the problem and that requires far more transparency than exists today. So my first suggestion would be to open up the gates with regards to transparency.

Panel 2: Cyber Security, Economics, and a Healthier Ecosystem GREG RATTRAY: Morning, everyone. Everybody’ll settle in, get relaxed, you

know. The first session was great. You know, hopefully we can keep that up on this panel and, you know, really want to keep the dialogue going, though. We do ask, with the first panel, a lot of speakers, try to keep on time. I’m going to introduce the speakers and then I’m going to make a few remarks myself and, you know, hand it off down the row. So this morning’s panel two is comprised of Major General Koenraad Gijsbers – from the Ministry of Defense at the Netherlands where he is the CIO and also has a national role in terms of cybersecurity. Eneken Tikk, who is the legal advisor to NATO Cooperative Cyber Defence Centre of Excellence. James Mulvenon, vice president of Defense Group Incorporated’s Intelligence Division, also chairman of the board of the Cyber Conflicts Studies Association. Jeff Carr, Founder and CEO, Taia Global, and author of “Inside Cyber Warfare.” And Andy Purdy, the Chief Cybersecurity Strategist at CSC and the former acting director for the National Cyber Security Division at DHS. Our panel is entitled, “Cybersecurity, Economics and a Healthier Ecosystem.” Having worked with the panelists some, we’re going to cover a wider range of topics than that, but I do want to start off with some remarks to hopefully frame the dialogue. And really, in some ways, I want to start off with thanking Georgetown and the Atlantic Council for sponsoring the event and make sure that we try to keep the focus up on the notion of international engagement and, you know, forming norms. I think this is something that’s essential. You know, I hope the dialogue here stays on the international engagement and even the global nature of the problem and hopefully the remarks I’ll start with will help do that. You know, I’m responsible for the notion of the ecosystem and the health aspect of the panel’s title, working with Catherine, on the event. And really I want to, you know, laud her bringing together such a distinguished group of people.

[ 29]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

I’m saying a number of very positive things at the start because I’m intending to spend my 10 minutes saying a number of – hopefully – pretty challenging things that are not at all meant to be negative, but I really have some significant, you know, concerns in the sense that we need to put the right lenses on the problem, and I think General Hayden, you know, talked about the fact that we’re using comfortable, traditional lenses. And I’m concerned that we’ve actually got ourselves in a place that needs to change dramatically if we’re going to make progress, and I’ll make my remarks really on three portions of that. So I know there’s some people in this room – one person is probably a close friend of the individual in the upper right-hand corner of that slide, who just looked at me – who knows that that’s Jon Postel. One guy used to run the domain name system for the Internet until the late 1990s. I make that point because the Internet was not designed for security. Guys like Jon and Steve Crocker, who’s in the room, work a lot on trying to make the system more secure at a technical level, but we need to recognize that we’re working in an ecosystem that inherently was, you know, designed to connect people and be open. And I think the most important comment was made in the last session was made by the Georgetown student who tried to challenge the panel with the fact that this thing is vibrant and essential globally; security is a means to the end, not the end. So if we really – I want to start the discussion, at least my remarks, from that proposition. We talk about ecosystems a lot with cyberspace; we really need to start to live that talk and I think there’s three implications of that. First, cyberspace is going to be risky.

[30] Georgetown Journal of International Affairs

We want it to be risky. We want it to be open and interconnected. And then the question is, how do you deal with that fact? You deal with it by being the most effective risk manager. You compete. You don’t try to hunker down behind borders, you know, lose the advantages that cyberspace and the Internet have provided for us. You really want to get out there and try to understand why you’re using cyberspace, secure yourself as much as you can, manage the resilience aspect of the fact that you’re having to assume risk, and you’re going to win by making the best decisions about risk assumption that you can, not trying to make yourself completely secure. Again, security’s a mitigation and a means to an end. It’s not the end, and I think competition is really going to be about effective risk management and resilience. That’s what – that’s in an ecosystem how the most effective organisms emerge. That’s how the most effective competition in business occurs, and I think we have to deal with the fact that in cyberspace, you know, that’s going to be the essential character as opposed to letting ourselves, you know, really focus on threat and security. Certainly, to risk-manage, you’ve got to understand your threats. And you’ve got to understand the controls that you can use for security, but we really need to focus on risk as opposed to threat. The other – the second real concept I want to throw out to the group is response. And really response in the ecosystem is really about the conditions for multiactor collaboration, and most of those actors are in the private sector. Defense in cyberspace will not be dominated by governments. Lots of discussion is about nation-

International Engagement on Cyber

al policy and cybersecurity policies in order to, you know, to improve cybersecurity, but cybersecurity is conducted – and I do have a background as 23 years in the Air Force and working with General Hayden, and having a national policy role here in Washington for a few years in the middle of this decade – but governments will conduct certain sorts of activities, but most of cybersecurity – and certainly the defense of cyberspace – is going to be conducted by a collaboration of a number of the actors on the bottom of that slide. I do want to mention the fact that this slide is a result of work I’m doing with a person named Jay (sp) Healey who’s also here. And Jay and I have been working a lot on looking at nonstate actors, which are usually considered from the kind of mindset of how threatening – and it’s true – cyberspace can make, you know, nontraditional actors, but are really missing the point that the most important aspect of nonstate actors in cyberspace is how ISPs collaborate with CERTs, collaborate with university researchers who actually understand where botnets are. And they share that information, at times work with the government, at times don’t work with the government, and actually remediate those threats. I use two examples. People here are better than I am at the first one. Estonia was defended through a collaboration, you know, mostly of ISP and network operators that helped mitigate the botnet attacks that were prevalent, you know, in that event. The other event which myself and others in the room – Paul Twomey, who’ll be a lunch speaker – participated in was trying to mitigate the growth of the Conficker worm a couple years back. It was really a collabo-

ration that crossed over a hundred countries, included collaboration with the Chinese, the Syrians and the Iranians. And that was conducted – and had to be conducted – through private sector means because that’s where the technical people knew each other. The domain name system operators know each other in operational level and they could pass information that allowed them to try to slow the spread of the worm. There’s also a downside to that story in the sense that that cooperation is hard to sustain over a long time and the fact that the worm morphed in a way that was not controllable through that collaboration when it went to peer-to-peer kind of growth. But the collaboration that worked almost had to occur outside of the governmental realm because it had to cross borders that aren’t easy for governments to cross, in terms of collaboration on cybersecurity globally when over 110 countries were kind of part of the necessary response of their country code top-level domains. The third point – and I’m also getting close to my time already, and I want to set the right example – is cleaning up. We really need to think about different models. We’ve started to hear this – certainly the leadership of Microsoft’s talking about a public health model, DHS just put out a paper in the last few weeks, talking about a resilient and healthy ecosystem – we need to look at public health and the environment as models for how we improve the ecosystem as a whole. We’ve started to learn how to do this globally in realms that are similar, you know, to some of the challenges we face in cyberspace. I really, you know, challenge everybody to think about how we form a World Health Organization [ 31 ]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

in addition to how we do treaties and law enforcement collaboration. All of those are important, I’m not saying one replaces the other, but we really need to think about an ecosystem and actually do the things it takes to manage it – an ecosystem – effectively if we’re really going to get ahead of the cybersecurity problem. So, with that, in the interest of time, I think I’m out. I’m going to hand it over and have the first speaker talk.

– but of course it very much affected the power that you could reach with diplomacy. If you look at the information or the social factors, that’s clear it’s at stake. In the military we really have to be better, and we are – as a military – being threatened, but we need to be able to keep the capabilities of course up. And the same comes for economic power. So all these elements that traditionally were safeguarded – you know, we thought we had them, we could develop MAJOR GENERAL KOEN- them, we could use them – that’s not RAAD GIJSBERS: So thank you automatically anymore the case. I think very much, it’s actually great to be here. that is also an element that makes the I heard some good news about the world different with the cyberthreat that Netherlands already, had the Muen- we see at the moment. And it’s not only ster peace in 1648 – (laughter) – you nation-states that is the issue, because know, we teach you a lot, to be honest. we all know that, for example, botnets But the – we are going to talk here can be developed by anyone. It’s on the in this panel about economics, and of Internet; you can look it up and do it. course the Netherlands has a great his- If you look at who nations use to be an tory of promoting economy all over the actor on the Internet, it’s basically hackworld. Actually, the start of -- already tivism. Have people that are promoted, in the 16th century where the East and supported or whatever to be able to do the West Indies Company sailed over things to become cyberprivateers on the world basically only to achieve one the internet. So that’s very difficult to thing, is get richer in the Netherlands, grasp. It’s very difficult to get to them. but that’s – that is what was promoted. So if you want to safeguard those What we have learned is that eco- instruments of national power, that’s nomic prosperity really comes with sta- not enough. You can also use them to bility and security. So if you want to be able to get this ecosystem healthier look at the issue of cybersecurity and and -- based on the global commons economics you really need to have – to of Internet. And that’s important; the my opinion – a broader perspective Dutch – European commissioner, Mrs. on security in which the economy will Smit-Kroes, she explained actually that be able to flourish if it’s going well. 50 percent of the economic developSo I have basically looked at the element of Europe is result of ICT – 50 ments of national power to look at the percent – which means that a lot of it is at security of a nation, and if you look at stake if you don’t safeguard that very well. the different elements of national power We believe this is not only a responyou see they’re all affected by the cyber- sibility, of course, for the private – for space. If you look at the diplomacy – I the public sector, but the private secdon’t have to mention WikiLeaks here tor, who owns all the infrastructure, [32] Georgetown Journal of International Affairs

International Engagement on Cyber

or at least 95 percent of the infrastructure, has a really major role. And that’s the reason that we in the Netherlands have just developed a new cyberstrategy, but what is more important, actually an action plan. You know, we don’t want to wait; we want to take action in 2011. That is basically what is in the plan. First of all elements in the plan is that we believe that the government – the government should be a promoter of trust in e-commerce. But the private sector needs to get its work done – they need to get more security and secure sustainable consumer trust in the cyberspace. Of course, that’s a responsibility for the consumer itself as well; it’s not only the private sector that has to do that. But that means education, training, promotion of the elements that have to be developed and standards if necessary. We are quite reluctant, actually, to use standards too much, but if it’s needed then it needs to be done. So the government must effectively combat cybercrime, and you can only do that if you link to all those organizations. That is part of it. We’ve seen Interpol, police, whatever. The third elements is that innovation is essential because the opponent is innovating faster than we are – so innovation needs to be implemented, and private sector is actually much better at innovation than the public sector is. So that is another reason why the cooperation with the private sector is vital. In the strategy we announced actually that in this year we will develop three new elements. We already have the cybersecurity platform CPNI.NL, which is a ISEC – multiple ISECs come together to share information of the vital sector – the banks, the whatever – on a secure level. That CPNI is an important

organization that will increase its work. In the cyberstrategy we are going to – we actually -- we will set up a cyberboard, a national cyberboard, which is led by both public and private sector. So the leadership is by the national terrorism coordinator as well as the CEO of one of the major ISPs. So it’s a combined effort of the public and private sector and is responsible to the government directly. And lastly, we are going to set up a cybersecurity center that will combine actually all the players in a coordinative role. Everybody will do its own, but they are all in the same house. And it’s not only civil – public and private – it’s also civil and military. My own center is part of that as well. So we are linked into that. And we believe that the armed forces can help there because the armed forces are actually pretty good at innovation and improving technology. And in the Netherlands, for example, I am the CIO of the Ministry of Defense but they actually appointed me to be the chief information security officer of the whole government because they think, you know, a soldier knows how to do that. So that’s what basically we have been doing, and as a result of that we believe that because of the cooperative effort amongst borders – over the borders of the different organization is vital to get the cybersecurity right and is vital to get the economy growing. Thank you.

ENEKEN

TIKK: It’s good to be back. Some people ask if I live here now or in Tallinn. So I’m going to talk about – I’m going to talk about the rules today. And the country where I come from is mostly famous, these days, because of the 2007 cyberattacks that the Estonians have blamed on [ 33]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

Russia. And if this is true, then Russia is the country that more or less created the job for me and four other lawyers working at the Cooperative Cyber Defence Centre of Excellence, because the 2007 attacks certainly triggered the activation – the activation of the center, which existed as a project already since 2003. And I’m talking about it because I want to kind of give you the perspective I’m talking from. My mission – the center’s mission -- is to enhance NATO’s cyberdefense capabilities, and my mission is to lead the legal and policy project to support NATO’s and the allies’ cybermission. And that means that whatever we do at the center sort of needs to be balanced in terms of what we suggest as legal and policy solutions to the cyber problems. And it’s not possible to be an expert of 28 nations’ – plus partners – legal systems. So that means we deal primarily with the international law and conceptual thinking of – on the international legal scene. Today, I’m here to address what has been addressed by some people before me, and these are the rules of the road, and maybe a social contract, and maybe also global concern about lack of regulation. And to tell you the truth – I think I started attending cybersecurity legal conferences about three years ago, and the question that constantly keeps being asked is: Do we need new legal – new regulations on international level? And I didn’t know the answer to that question. And one thing I did in order to be – say something about it: we started this research about what is currently, how much is currently out there that deals with legal and – cyber issues from legal perspective. And there is 400 pages of regulation that deals with

[34] Georgetown Journal of International Affairs

cybersecurity on international level. We didn’t stop there. Then we started looking into: Do we also have case law? And there is 1,300 pages of case law dealing with cybersecurity on international level. And the relevance of that is that we can’t say that on international level we are really missing something crucially. To prove my point, I – we did something else. We did something we call the 10 rules concept. And by the way, the – three or four others of this concept sit in this room, or stand or sit in this room today. And so, I’m going to talk about the rules that are actually supported by the existing legal framework on international level. And the point of talking about rules – and I know there is a challenge, sort of imposing rules, right, at the time where many people ask questions – but this is one of the – part of the – one of the (point ?) section. In this discussion of the – just the concept of 10 rules is about offering 10 solutions to 10 most challenging legal issues as a starting point for figuring out if the rules, if the existing law as it is, is good enough to take us where we need to go. And so I’m not going to address all of the rules in very detail. All I’m saying is that the point of the concept is to start discussion. And discussion in the fields such as, for example, territoriality. Many say that cyber is a global concern, so we shouldn’t even bother to impose national laws on this. As a matter of fact, this is half-truth because, as Estonian case, Georgian case, many other cases recently have shown, we don’t even have appropriate responses on national level to deal with the full spectrum of cybersecurity reaching from, yes, internal breaches through cyberwarfare, and in touching up on cybercrime and nation-

International Engagement on Cyber

al security (and other ?) cyberactions. Then the second rule is about responsibility. And, if we like it or not, on international level there is – exists significant amount of law about how do we hold states responsible. And the principle is, if something is launched – is a cyberattack is launched from a national – from a nation’s territory, and the attribution is there, that first state will be held responsible for about this – originating from its jurisdiction. Cooperation. Well, cooperation seems to be a common-sense rule, because due to the – due to the risk, due to the threats, due to infrastructure, we need to cooperate not only between nations, but also between governments and private sector, between different subject matter experts such as lawyers, military, policymakers, all the other people. And cooperation, therefore, is not just a common-sense rule, but again, to look for the law, the existing law that supports cooperation, we can look at the NATO Treaty, for example, where Article 4 is – which is a bit less famous than Article 5 – talks about consultations and cooperation whenever the territorial integrity or political independence of nations is threatened. Similarly, such provisions exist in cybercrime convention, for example. Self-defense, which is the topic of the fourth rule. It’s heavily debated area. But again, from legal perspective, we have a very clear rule. If – everyone, first of all, everyone has the right to selfdefense when facing a clear and imminent danger. That actually occurs on two levels. From an international perspective, we can engage in self-defense when we are facing – when a country is facing an armed attack. In cyber world,

that means an equivalent of an armed attack. What that is is not actually a legal question. And the person who made that clear to me is also in this room today. So – and there is – exists another concept of self-defense which is now from criminal law, which basically says if somebody points a gun at you, you can defend yourself. That means that hacking back actually has a legal remedy if it’s justified in defense of an ongoing or upcoming attack. Data exchange. Why I’m bringing up this topic: from legal perspective, there is a rule that many of us don’t necessarily like. And the rule is, first of all, data – especially in the European countries, but this is a concern worldwide – can be transferred to third countries under very specific circumstances. And as a matter of fact, today it is problematic to transfer IP addresses out of – outside of the European Union from European Union. That means, basically, information exchange about the incidents between NATO and European Union extremely difficult. If you like – don’t like the rule, there is one way to get rid of it: That’s changing the rule, or making an exception. And that needs to happen on national level and can happen on national level. The sixth rule is about duty of care. Again, it’s an old rule, nothing really new, and the point here is that we have exercised duty of care under legal regulations for ages. We know that if somebody processes personal data, this person needs to secure that data. We know that if you provide e-commerce services to consumers, you need to make sure that the appropriate security is delivered. Early warning is a seventh rule, which is about, actually, a Lithuanian case in [ 35]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

2008 where an ISP chose to inform its clients about an upcoming cyberattack, and thereby brought us back to, for example, the information – public information concept, which says a nation is obliged to inform its citizens, its subordinates about the threats to their property, life, or health. Then, two further rules. Criminality, which is very well known to this country because about 10 years ago, the U.S. started – a bit more ago, the U.S. started to – discussions and they invoked the cybercrime convention. Now, we’re basically entering the second round of cybercrime convention where we just need to adjust the criminal policy in nations to actually use the same vehicle for politically-motivated cybercrime. And the last rule in this package is the mandate rule. And the mandate rule is, again, an old truth, which says that every international organization, every public authority functions under its mandate, within the limits of its mandate. And it’s my suspicion that today, many international organizations have overlapping mandates and have gaps between their mandates. And that makes, in my opinion, many countries this day not the wisest subscribers to international legal framework.

By way of introduction there’s nothing better, I think, than my Twitter profile. It just says: China, cyber, intelligence, craft beer and Michigan football – but not necessarily in that order. (Laughter.) I want to make three quick points today that – related to this topic of which Greg and I and others have been deeply engaged, it seems, for a long time. The first is that – is the battle is clearly joined for the future of cyberspace, both at the state and nonstate level. I mean, I have a vague memory in the past of a time where John Perry Barlow was writing about how governments had no authority in cyberspace and this was going to be, you know, a completely new domain without sovereignty. I remember a time when our worries about intrusion sets were Chinese hackers taking down the public webpage of whitehouse.gov and Taiwan hackers putting Hello Kitty animated logos on Chinese government websites. I mean, that was – that was the sum total of the gravity of our concern. You know, oh, halcyon days. But we’ve clearly seen the evolution of this network from basically a fun, interesting plaything to the key linchpin of the global economy, some huge percentage of our GDP in innovation and dynamism. And all the dependencies and interdependencies that go along JAMES MULVENON: Thank with that. We’ve also seen a shift, in you, Eneken. My name is James Mul- my view, from a government perspecvenon. Every China specialist has to tive, of a benign toleration of this area have a little red book. (Laughter.) for playing around to one in which Let me begin by saying thank you, first there is a very determined effort on and foremost, to Catherine Lotrionte. many levels, I think, to – what I call You know, I go to a lot of cyber meet- the re-sovereigntization of the internet. ings in Washington, but this thing is Now, I was an author of a global comclearly on a completely different level mons study at CNAS with Abe Denmark and that’s a real tribute to her and and Greg and Jay Healey and others, so her energy and enthusiasm for this. we clearly were arguing about whether or [36] Georgetown Journal of International Affairs

International Engagement on Cyber

not cyber was a global commons, and it clearly had very different features than some of the other global commons. But some very important facts, I think, that a number of governments have worked up to in the last five to 10 years as these dependencies were created, which is the fact that every node, every server, every router is in the sovereign boundaries of a nation-state. Even every submarine cable which traverses the socalled commons is owned by a private company or a public company which is then subjected to the incorporations and laws of the state in which – the nationstate in which it was incorporated. In other words, the entire architecture we’re talking about – there is no part of the physical, technical architecture that is not bound up in traditional, legal notions of sovereignty. And as such, governments then say, well, we have these enormous security problems and we have this enormous percentage of our innovation and economy that is riding on this – we need to reassert our sovereignty. But at the same time you have this countervailing trend of the WikiLeaks and the Jasmine revolutions impeding and saying, well, no – for a long time this was a – this was a place where we could enjoy privacy, we could enjoy anonymity, we could talk about how we like to run around in the forest and paint ourselves blue and shoot bows and arrows at people and do all those things that we wanted to do on the network. Don’t impose authentication and encryption and signatures – don’t force us to go to true name, you know; you’re taking something away from us. And that was certainly a message in the Middle East, which is: This Internet, this Twitter, this social networking

environment, this belongs to us. This does not belong to the governments. And yet the governments were saying, we have kill switches. You know, we’re going to tell Vodafone to just turn it off. You know, and so this – in my view, the battle has finally been joined for the future of this. And on the one hand you have the Barlowites who say, you know, that just because the architecture is bound by sovereignty doesn’t mean my actions are bound by sovereignty, and on the other side you have the Benthamites, you know, who really want to have the panopticon; they want to build the perfect prison. And we see countries all around the world building an increasing mesh of a surveillance state with biometrics and CCTV and network surveillance. I mean, for those of you who haven’t seen the video that the Dubai general director for state security put out about the Mossad kill team that went in and killed the Hamas guy in Dubai, what was astonishing about it to me was the extent to which in such a short period of time they could piece together an entire video narrative of every single member of that kill team coming into the country, surveilling the recon teams at the hotels, the kill teams getting off the elevators – all because of this ubiquitous CCTV surveillance state that have been put up. And that is increasingly the norm. My second point is, as a China person, I have to talk about the fact that in many ways the Sino-U.S. relationship is a microcosm of this conflict that I’m talking about. We all know about the intrusion set, we all know about the militarization of cyberspace on the Chinese side and the relationship between that and the standing up of CYBERCOM and everything else. [ 37 ]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

And Jim Lewis, under whose wise leadership I’ve been participating in a U.S.-China cybersecurity dialogue – we’re beginning to have a conversation with the Chinese side about some of these issues. But what it’s really surfacing is how in many ways we’re on opposite sides of many of these discussions. The U.S., through its benign sponsorship of ICANN and other organizations, I would argue, is a status quo power in many ways in this discussion. And very uncomfortable with some of the elements of this re-sovereigntization, although in other areas, counterterrorism and others, we certainly have sought to exploit some of those – some of those relationships for the benefit of U.S. national security. I would argue that the Chinese government by contrast is a revisionist power in this environment. Whereas we favor globalization, they’re pushing a centrally planned form of mercantilism that seeks to use IT standards globally as a trade weapon, rather than allowing, as we have in the past, IT standards to develop through a relatively apoliticized process involving IEEE and ISO and others. The Chinese side views this very much in the process of developing indigenous innovation from a central planning perspective. The Chinese government has made it very clear that they have no use for the Internet Governance Forum and would love for the authorities of ICANN to be transferred to the International Telecommunications Union under the U.N., which is obviously a state-based forum, that would give less voice to the nongovernmental organizations and other pesky do-gooders, in their view, that would seek to maintain these zones [38] Georgetown Journal of International Affairs

of privacy and anonymity on the network. My third point would be that while it’s easy for us to continue to focus on the latest outrage in the intrusion set, if we want to think strategically rather than tactically we really need to move to what I’ve been calling the long game. And the long game is really the things that are going on where we’re more or less engaged that really are going to define what the architecture looks like in 20 to 25 years. Many policymakers here in Washington I think have finally woken up to the dilemmas we face on the supply chain side with regard to information technology products – again, I’m not a military historian but I’m trying to think of another example in which in a new dimension of warfare, one major adversary is completely dependent on the supply of the weapons of that domain from another adversary. It’s as if during the Cold War the only source of uranium in the world was in the Soviet Union, and we were negotiating to trade with them for uranium so that we could build nuclear weapons with which to target them. The fact that every electronic device in this room is made inside the nation-state of a country that has clearly shown itself to be a major nation-state cyberadversary to the United States, either at the espionage or at the military level, is very troubling and yet there are no easy solutions because, again, of our embrace of globalization versus their revisionist embrace of neo-mercantilism. Second would be, and related, is export controls, which we have sought in the last couple of years under this White House to reform – but to reform in a way that allows greater trade rather than looking at some of the issues that

International Engagement on Cyber

we’re talking about. We continue to struggle with the Chinese side on the CFIUS issue. You know, I personally if I’d been a Chinese trade official I probably would not have tried to allow Huawei to buy 3com as a first foray into Chinese ownership of major U.S. companies – as watch the entire U.S. government going into paroxysm with the idea of Huawei owning infrastructure and technology in the United States. But even at a higher level, the Internet governance issues that I mentioned with regard to whether we continue to support the ICANN model or whether we want to move to a more state-governed model like the ITU. And then finally, the longest game of all, the use by the Chinese side of IT standards as a trade weapon, the pushing of inferior technological standards that have already been rejected by IEEE and ISO – but nonetheless using their market access and leverage to force multinationals that are assembling and building their equipment inside of China to integrate them with these – with these inferior standards as a way of distorting the very development of global IT standards. And then all of the corresponding downstream implications of that for either the strength or the weakness of the architecture we’re trying to build. So those are my three points, and I look forwardtotheQ&A.Thankyouverymuch.

JEFF CARR: Hello. This is really a sort of mind expanding experience for me, because when I was writing “Inside Cyber Warfare” I referred to James’ work, which is – and he’s one of the best in the world at what he does, and also Eneken’s work on the legal issues surrounding the attack against

Estonia. And unfortunately I’m not – I don’t know everybody else on this panel – but it’s – but it’s – Catherine did such a fantastic job. And thank you so much for inviting me to participate. I would give you my bio but I can’t tell you the names of any of the people that I actually work with, so there’s really no point in doing that. Although you’re welcome to – I think there’s some generic sort of thing on the table outside. I will tell you that I’ve had the distinct pleasure of having my blog at Forbes killed by the – probably the most powerful man in Russian Internet industry with a single phone call to Forbes. And that was all it took. I also had the unique experience of being the subject of a spear phishing campaign against U.S. government and military employees when I wrote a blog post about how Russia was – Russian hackers were sending out a spear phishing attack. Normally sent for financial gain, this time sent for obvious espionage reasons to U.S. government employees. Within 24 hours a new spear phishing attack went out under my name saying, beware of this spear phishing attack. (Laughter.) Just two weeks ago I got an email from someone who I mentioned in my book, another Russian entrepreneur who actually set up the stopgeorgia.ru domain. This was one of the command and control points for organizing Russian hackers to attack Georgian government websites during the Russia-Georgia war of 2008. He was – he owned the business which sold the domain name. Which brings me to one of the points that I wanted to make today, which is cybersecurity and economics. That platform at stopgeorgia.ru wasn’t hosted on a Russian server; it was hosted on

[ 39]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

a U.S. server, a company called SoftLayer Technologies in Plano, Texas. Plano is also the home of The Planet. Well, between The Planet and SoftLayer Technologies they host significant amount of malware that’s distributed by foreign actors, malware that can be done for any number of purposes. And I was hoping that when the congressman from Texas was up here this morning that someone might ask about this very touchy problem, which is, we have many, many U.S. companies, some of the biggest in Texas, but California, Michigan, other states as well, which are making millions of dollars every year by selling services to foreign actors without any verification of credentials, without any verification of the way that they make their payment. You literally today could go online, buy a server at The Planet in the name of Barack Obama, charge it to whoever happens to be sitting next to you’s credit card, and you’d be online in moments. So this is a very, very serious national security issue because we are hosting within our own country the platform by which attacks are being conducted. And there’s – there doesn’t seem to be the political will, because of the economics, to do anything about it. Unfortunately, it doesn’t really stop there. You all know about Huawei, obviously I’m sure everyone in the room knows that name, but how many of you know about a company called Huawei Symantec? Well, and that’s essentially why I wrote the short paper that’s available outside or via email. Huawei Symantec is actually a joint venture that was set up, 51 percent ownership by Huawei, the headquarters are in China, and they’re literally in the security business. They provide security [40] Georgetown Journal of International Affairs

architecture, security hardware and they sell it under – it is its own company, HS. You can go to their website, HuaweiSymantec.com, and find some really incredible stuff. For example: Huawei Symantec Technologies, a leading provider of network security and storage appliance solutions to enterprise customers worldwide. Well, if the name Symantec – and I know Symantec is a sponsor, Catherine; I’m sorry, I didn’t know Symantec was a sponsor when I wrote – when I took this tack, no offense for those of you that are here that are employed by the company. But attaching your name to a Chinese company’s name that’s selling security solutions benefits the Chinese company. It gives credence; it gives a certain sense of security. There’s a 2008 corporate briefing deck prepared by Huawei Symantec, it’s available online. On slide 12 it specifically calls out that the company is going to be building China’s first laboratory of attack and defense for networks and applications. And that is a direct quote. I would love to have some more detail about how Symantec is helping the Chinese government build a lab that has to do with attack and defense. Could be perfectly innocent, but at the very least, it’s questions like these that need to be called out, you know, and companies need to be more forthcoming. And if you’re an information security leader, like McAfee or Symantec or RSA – the recent attack against RSA, it could be catastrophic, nobody really knows because they haven’t been forthcoming even to their own customers, at the least the ones that I’ve spoken to. They haven’t really been forthcoming about the depth of that attack.

International Engagement on Cyber

And it’s why? Because it’s about economics. If you lose money, board of directors might get sued. If the board of directors gets sued, then you’ve got a shitstorm. You are – nobody is going to walk away from that. And companies are making decisions based on economics today that are putting substantial risk to U.S. national security interests. Speaking of Huawei Symantec, just recently -- this is within, I believe in March, in the month of March – they formed a new partnership with a company called Force10 Networks. Force10 Networks is a U.S. company; they sell to the U.S. government. Specifically, reading from their website: “Force10 Networks sells products to defense, intelligence and civilian agencies.” Well, they’re going to be selling Huawei Symantec devices and hardware. So prior to my coming here I sent them an email, I sent the contact – I found their press release, they had contact information, turned out to be a senior director of the company – I said: I’m speaking here today; I’m very concerned about this relationship that you have with the Chinese firm and particularly that you’re selling to U.S. government, intelligence and military customers. And what are you doing to vet what you’re selling? And the response was, one, we are in full compliance with whatever the current laws are. I mean, that’s a pretty much a standard CYA response, you know, we’re in compliance. And two, we’re not doing any engineering, we’re just selling, we’re just marketing. As if somehow that is less, you know, serious. So when Huawei is blocked by buying 3com or when they had to walk away from 3Leaf, or when the NSA told AT&T

they’d lose government business if – well, sort of lose government business – if they consummated a deal with Huawei, and Huawei realized it needed to change its strategy, it came up with this really brilliant strategy, which is, sell though U.S. companies to U.S. customers. I mean, it’s – and you all don’t even know, nobody – and that’s the – a friend of mine really sort of created CFIUS. I mean, he didn’t create it, but he built it up during the Bush administration. I sent him a copy of the paper to review and even he didn’t know about it. I don’t want to stay only with China, because it’s really not just a China issue. Russia has its own way of doing this sort of thing. And the predominant player, as an example, is Intel. Intel has been doing business in Russia for a long time, they’re currently with a – they have a lab, and I am terrible with pronunciation so I’ll give you the – it’s the – NNGU is the name of the lab – or it’s the abbreviation for the lab. It’s basically part of a department of radio physics; it’s at a Russian university. The lab itself is in a building that’s – everyone knows is controlled by Russia’s federal security services, the FSB. The lab is performing research which is of critical interest to the FSB. Again, this is very well known. And the research is overseen by an individual, a Russian scientist, who has performed work in the past for the FSB. So there’s literally no question that this is a lab with absolutely zero security when it comes to protecting their source code, their research, whatever it might be that’s proprietary to Intel from the Russia security services. In addition, Russia has this unique law that was recently passed. It’s Article [ 41 ]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

15 of the FSB code. And I’m going to read it to you the human – this – we did a human translation just to make sure it was accurate – but basically it says that any physical or legal body in the Russian Federation – this includes a foreign company that’s doing business in Russia, like Intel – that’s rendering mail services, telecommunication services of all kinds including systems telecode, confidential satellite communications, are obliged under request of the FSB to install into their hardware additional equipment and even code, and to comply with the request of the Russian government to do that. And this needs to be, in my opinion, addressed as well.

reality of the risk that we face, we need to articulate what we as a nation need to worry about and what we need to do about it. We have not articulated the strategic national priorities of the United States. We have not set goals, objectives and milestones so that we can track progress, we can measure success. We have not done it. Our nation, our Congress, our leadership has not stood up and made it happen. I’m encouraged by some of the thinking – the DHS paper that Greg Rattray talked about, “Enabling Distributed Security in Cyberspace,” that Phil Reitinger lead, the ecosystem approach – that to me is the roadmap that we as a nation, the public/private partnership, have to go down to drive real progress. ANDY PURDY: It’s a pleasure to But we have to look at the chalbe here. Time will tell whether we’ve lenges that we face and the terms of been in this conference before. I think what are the opportunities for us in what we’ve heard so far is a good sign. the way cyberspace works to drive real There are thousands of points of progress. But in terms of our nationlight promoting cybersecurity in the al interests – and I understand we’ll United States, but still we as a nation have the international strategy for are failing to protect American national the United States will come out very security interests in cyberspace. If we shortly. Hopefully it will promote the continue to do what we’ve been doing, national interests of the United States. although we may prevent the day that Our colleague mentioned a national there’s a digital Pearl Harbor threat- cyberboard. We have too many thousand ening the United States, if we don’t points of light. We can’t focus on what we act we will lose the intellectual prop- need to worry about and what we need to erty, we will lose the competitiveness do about it. We need to articulate those of the United States to our competi- strategic priorities and have a steering tors, our adversaries. We must take a committee made up of representatives more strategic approach to these issues. of the government and the private sector There are some heartening examples to set those priorities, those goals, those of people leading the good fight, and I’ll objectives and those milestones so we miss some of them, but Greg Rattray’s can track progress. We can achieve sucefforts, Paul Twomey’s, Tom Keller- cess, and we can facilitate accountability. mann’s, Jim Lewis, Melissa Hathaway, We talk about the comparisons to Charlie Croom, others. We have to stop nuclear war. The fact is, there are norms having the same conversations over and of behavior in cyberspace now that we over again. We must learn what is the have to use. Let’s not just jump to [42] Georgetown Journal of International Affairs

International Engagement on Cyber

the arms control model of governments imposing solutions. Let’s look at, let’s learn from those norms of behavior that ICANN and others have been trying to use. Those relationships between customers and the host, between customers and their Internet service providers and between the ISPs. When I was at DHS, we had an instance where China CERT would cooperate in investigations that we did. We had examples where ISPs in China – and I’m told this has continued – ISPs in China will cooperate when there are requests to identify malicious activity. Eneken talks about her point too about responsibility. We’ve got to use the current norms of behavior, the responsibility, because if an ISP is told there’s malicious conduct, they’ve got to do something about it. And that is the thing that we’ve got to build on in terms of the existing norms. We’ve got to start gathering information, not just sharing information about the bad guys. We’ve got to share information about where the attacks are coming from. And we have to look not just at the question of who is ultimately behind those attacks, because that’s tough. We have to look at the enablers in cyberspace. We have to shine the light of day and gather the data to identify those enablers, and focus: Are they on the side of making us safer, or are those enablers that are on the bad guys’ side? We need to make them choose sides in cyberspace and we are not doing that. Our efforts to be reactive – yes, we need to do more reactive things like the response to Conficker, more reactive things in terms of law enforcement. But we need to come together and say, look, this ecosystem approach – we have to bring the government and

the private sector in a true partnership because the private sector needs to do a lot more than identifying cyberincidents that they can complain about. The private sector needs to be part of an effort – and the best model I know of is the Financial Coalition Against Child Pornography – where law enforcement, Internet service providers, financial institutions, came together to develop a strategy. We need a cyberstrategy against online malicious cyberactivity that tries to address and identify a roadmap for addressing the frequency, impact and risk of malicious cyberactivity, and we use and focus on the enablers to help us do that. We look at the absence of requirements, the Kumbaya aspects of the public/private partnership, and the same things holds true for the malicious activity piece. For the public-private partnership – I was in another session yesterday where people were saying, oh, we need to share information better. We need to tear down the obstacles for sharing. Oh, well, the private sector now has a seat in the NCCIC, the National Cyber (sic) and Communications Integration Center. No, we need to say for the National Cyber Incident Response Plan, what are the requirements for this nation? What’s the information we need and from whom? What are the obstacles to get them? And let’s set the path to get the information that we need. Years and years are going by, and we haven’t gotten the information for the common operating picture of the United States. What are the capabilities we need to be able to share, public and private, for the analysis to understand? What are the capabilities we need for a response and for recovery? You look at [ 43]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

what the telecom industry did with government after Hurricane Katrina. We need that in cyberspace to understand what is necessary for the key sectors of our economy for situational awareness. What is necessary for our ability to analyze, to understand what’s happening? What is necessary for us to have an effective response against the most significant threats to the United States? And what is our ability, as requested by the Business Roundtable in 2006 and never – and it never happened and nobody ever looked at it again – hence the need for a national steering committee. The idea of what are the requirements, the capabilities and the contract vehicles if there’s a major disruption in the United States as to how we’re going to bring the capabilities that this nation needs back online. Those kinds of requirements are absolutely essential for us to drive significant progress in helping to address the risks to the United States. Thank you.

MR. RATTRAY: I think with

top security people in the United States, who recently died – where he was looking at the current Internet and said even the best systems that we’ve built in the past, like Multics, were not secure enough to put in this environment. And yet the ones that we have put in this environment have had standards which have been reduced due to, really, industry pressure. So that’s kind of the environment – how do you prevent the business models from exporting end security, which then we’re all dealing with? And this is pretty much focused on remote access. The key penetration factors we know how to get rid of, we know about privileged escalation, so I just ask the panel in general if they have some thoughts on incentives and how we might work that.

MR. RATTRAY: John, that was a challenging question especially since we actually don’t – I think have every – any economists up here. I’ll take a stab, but Jim’s – you want – did you have something?

MR. MULVENON: Yeah, well, I would just – the thing is, we were discussing norms earlier, and I think there’s an Q: I’ve got an easy question. I’m John Mal- economic linkage to one of the norms lery, a research scientist at MIT CSAIL. that’s being bandied about that I think is So when I think of cybereconom- important at least to raise again for disics, the first thing I think about is, cussion, which is the norm that says that how do we incentivize what I call the whether you’re a company or you’re a IT capital goods industry to produce university or you’re a country, that you’re higher assurance systems in an envi- responsible for remediating the hostile ronment in which most decisions are packets that are leaving your boundaries. based on cost considerations, which they And that if you’re told by a responcan be measured, and we have poor sible CERT that there are hostile packmetrics for the cyberassurance side. ets emanating from your network, that And I guess the other small detail is you need to remediate that, and if you that if we look at the current industry don’t, the economic remedy for that and look at the host – there’s an inter- is to be dropped in the peering relaesting quote by Paul Karger, one of the tionships with others until you do. that passionate statement, we’re ready for some questions. John?

[44] Georgetown Journal of International Affairs

International Engagement on Cyber

And if you’re a company and you’re dropped – this is Woody’s idea from Packet Clearing House, give credit where credit’s due, you know, one of the wizards that helped fix the Estonia problem – he said, look, if a tier one provider is dropped in the peering relationship because they’re refusing to remediate the botnet or whatever that’s operating in their network, they will cease to be able to guarantee bandwidth to their commercial customers and they’ll go out of business. So they have an economic incentive to actually clean up the swamp in their own network. Now, some people would say, well, that would require deep packet inspection, it would invade user privacy. But they can just as easily turn around and say, well, that violates your user terms of agreement. You’re not allowed, you know, we didn’t say you could run a botnet on the server that you’re leasing from us. And so that’s a linkage in my view between – it doesn’t address John’s question about technology side, but it does address the network dynamic. It links a norm, you know, which I think is a very powerful idea of a norm, to the economic underpinning that makes it a market-based policy solution and therefore potentially viable in an environment where so much of the infrastructure is owned by the private sector rather than controlled by governments.

MR. CARR: Also, just quickly, the

entire information security industry is broken. There’s really no other way to describe it. Companies are spending more and more money on security, breaches keep getting bigger and more dramatic. The companies had to build an industry, an anti-virus, IDS/

IPS, firewalls, every other type of security that you can imagine – all of these are not fulfilling the mission. And nobody is holding them accountable. So I think that probably the first step is to hold the information security company accountable for what they deliver.

MR. RATTRAY: Just a quick

thought, and Jim, I’m glad you distinguished – I mean what you discussed, and I completely concur with is, you know, economic incentives around network – you know, behavior on the network as opposed to what I’m going to provide as a very unsatisfying answer to John’s question on, you know, the security of the technologies. I think two things really limit that, right? First is, the complexity of those technologies I think make them very difficult to secure. You know, the millions of lines of code, the dynamics by which they interconnect, you know, makes it hard to run down everything securely. I’m not a technologist or an economist, but my sense from 15 years of the ecosystem getting more and more difficult to secure with more and more money going into secure coding and engineering – it’s just the dynamics are difficult at the technical layer. The second thing is the economic incentives to connect are just huge. We’re going to mobile banking. Is that secure? No. Is there money to be made? Hell, yes. Which is the dominant economic incentive? The bank security officers, I tell you, are scared but their CEOs, their CFOs and their marketing guys are like, if we don’t go there our competitor will. Prove to me that the risk of not going into mobile – I mean, not going into mobile banking

[ 45]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

affects my bottom line. They can’t. They can see the economic incentives to go there, they know the code’s not ready, they know the technology’s not ready, but the drivers are forcing them there. And I -- you know, John, I just don’t think we’re going to make a lot of progress in the big picture, the 25-year long view that James talks about, through technology. We’re going to have to manage risk and we’re going to have to be resilient as a consequence.

MR. PURDY: I do think there’s a

missing piece in terms of technology that we as a nation really ought to take advantage of. And that’s idea of creating an innovation sharing initiative that looks at the incentives from the other side. Make it easier for people who are consumers to find really good technologies. So if you can share information on the security requirements and what – to what extent the technologies can meet those requirements, there will be continuous process of improvement. And you look at some of those efforts of NIS (ph), with the enterprise risk management, the continuous monitoring, those things really tie into the ecosystem idea. And it also ties into the idea of you can make it easier for the folks who run enterprises to manage those enterprises and save money while they do it.

know, it’s interesting that you all talk about rules and whatever, and norms, but I think if people don’t buy it, it’s – you know, if people buy the stuff that’s not good enough because it’s cheap, it will not be improved. So I think it’s really an issue of the awareness of the users. It’s not bad enough. For many companies we see that in the Netherlands, that the awareness of, you know, the economic effect of not having good internet protection, good connectivity in their networks is really, you know, this is the cheapest way to do it. And they don’t see the impact is still there. So I would suggest that making clear what the risk is that they run both to the customer, the civilian customer at home, as for companies is an important piece to be able to improve it. And I don’t think rules will help too much because – especially in the European, you know, I can buy Internet stuff from all over Europe. I don’t have to go to the Netherlands. I can go to Belgium, to France, to Germany, to whatever. It’s the -- so I think you really need – the economic principle needs to be there.

Q: Good morning. I’m Gladys White,

I teach cyberethics here at Georgetown in the liberal studies program. I’d like to thank the entire panel for a wonderful set of presentations, but my question goes specifically to Dr. Mulvenon. You struck a contrast between BenMR. MULVENON: I mean, I’ve tham and Barlow, and I’m assuming got 14 AV programs running in my you were talking about Jeremy Bencompany network, each of which tham. Could you elaborate a little bit usually finds 10 percent of the mal- on the contrast that you were referring ware. That’s ridiculous. (Chuckles.) to and its implications? Thank you.

MAJ. GEN. GIJSBERS: There MR. MULVENON: Sure. I strugis another issue though, because you gled with whether I, you know, should [46] Georgetown Journal of International Affairs

International Engagement on Cyber

go for the easy one and just say Orwell, but the problem with – you know, the John Hurt movie is one of my favorite movies and, you know, they’re all destitute, right? It’s the – it’s the poverty of socialism in the movie, so this is not a dynamic – whereas the Chinese believe that they can create a dynamic in which they can have economic prosperity and a surveillance state at the same time, so that’s – you know. But Bentham was all about efficiency, and this – you know, so it’s an incomplete metaphor. But the panopticon – and this room is a panopticon for me. Particularly the guy back there with the camera, because as – those of you who’ve seen his design of the perfect prison, it has the tower in the center with the tinted windows, and then the cells are all in a circle around the tower and there are large windows on the outside, so that none of the prisoners can see whether the people in the tower are looking at them but the guards in the tower can see the silhouettes of every prisoner. So it’s the perfect prison. And it’s very much like the telescreen in “1984” or the various surveillance devices they had at RAND when I worked there to make sure that we were all reading shelling every day and doing all the things we were supposed to do – (laughter) – contractually. But the – you know, but it really gets to this idea of how the Chinese set up their surveillance system because it – you know, you read in the paper all of this incredible FUD and mythology about Chinese Internet censorship. And you could just as easily insert Saudi Arabian, Burmese, whoever you want to put in there – that somehow there are 30 (thousand) or 40 (thou-

sand) or 50 (thousand) or a hundred (thousand) or 200,000 Chinese people staring at screens. But in fact, the elegance of how they set up their censorship system, in a perverse way, is that they set up an environment where people are encouraged and incentivized to self-censor and self-deter because they don’t know whether the telescreen is on. But they have to act as if the telescreen is on. That’s the beauty of their model. And so – and then random sporadic enforcement with very, you know, egregious punishment that then sets in motion the whole “sha yi jing bai,” “kill one to warn a hundred,” or kill the chicken to scare the monkey kind of dynamics internally. Whereas Barlow was very much a libertarian model that said, you know, we just want information to be free and everything else.

Q: Good morning, my name is Dave

Smith. I’m the director of the Georgian security analysis center in Tbilisi, Georgia. I’d like to thank all of you for wonderful presentations. I have a couple of questions that I’d like to direct to Mr. Carr, who for those who don’t know is sort of a hero in Georgia. So Mr. Carr, first of all, I’d like to ask sort of a specific question. You alluded in the brief time that you had to obviously the collusion of the Russian government, particularly the FSB, with various organized crime networks. There is a famous or infamous one, the Russian Business Network. I wonder if you could say a few words about sort of what happened to them, how did – did they morph into something else, what indications do we have that the same guys are doing the same things in another guise. [ 47 ]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

And the second question is just to follow on some of the discussion that we’ve had here, some of the remarks made by Dr. Mulvenon, and Mr. Purdy, and you alluded yourself. We have a situation here where we’re not going to have like-minded nations around the world. The gentleman from Interpol this morning was talking about 188 countries, but those 188 countries aren’t all going to cooperate on this. You’ve just named two who are particular culprits, and those are really big countries. And we’re talking about state involvement here, we’re not talking about hacktivists – hard to prove, but we’re not talking about patriotic hacktivists here. How then shall we be saved? What would you recommend to the international community of, let’s say, those countries that are like-minded? What are the steps legally, financially, even militarily, if you like, or extending the military into cyber? What should be we thinking about? What should we be doing about this?

MR. CARR: Well, that was a – that’s

an easy question. So, the RBN is a course constant curious organization. In fact, my colleagues and I suspect that – well, we believe that they’re still operating, but not under the name RBN. But the, you know, the infrastructure, the bulletproof hosting, is all still intact and, in fact, we suspect that they’re headquartered in the Netherlands currently. So, the – but again, it’s a theory, you know. We also believe what – and this is, I think, a key point – is that they’re equally comfortable operating in China and in Russia. So a lot of times, when you see Chinese IP addresses being used in certain types of attacks, it could easily belong to an RBN, or a [48] Georgetown Journal of International Affairs

former RBN organization, not necessarily China. Bottom line, though, I think, is a – they simply have become a part of Eastern European organized crime or Russian organized crime. Regarding your second question, the – I don’t have a lot of hope for the – for the – for the Internet as it is – as it exists today. And the bottom line – my bottom line advice, when I’m asked to speak on it, is that in order to protect your critical infrastructure, you really need to sort of start from the ground up and have a dedicated – a dedicated network similar to what maybe is being used by CERN or other particle accelerator labs. It’s built with secure code, it’s built with secure practices, there is a trusted supply chain involved. You really do need an – and that network would be a – would require a high degree of access, of security in terms of access, completely separate from the World Wide Web, you know, that we have today. Short of that, I don’t have any hopes of seeing these problems get resolved.

Q: May I just ask a quick follow-up ques-

tion about the RBN people, in their new incarnations in – with East European crime network and the Netherlands and China? Are the connections with the security services in Russia, particularly with Prime Minister Putin, still there?

MR. CARR: Oh, yeah. That’s the

handshake deal that’s been around for years and years, and most people who follow Russia would agree and say it’s a sort of a brotherhood of convenience. If you – you help us, we help you, and otherwise we leave you alone. So yeah, I think it’s still a big part of Russia’s planned – and that’s why they

International Engagement on Cyber

won’t sign on a – any international law enforcement treaties, Russia won’t sign.

MR. MULVENON: I would also

say that the cooperation between likeminded countries is also a key point – MR. RATTRAY: I wanted to provide part of the norm I described earlier. I saw a perspective on, you know, working Michael Markov earlier, who was the Sir with the Russians and the Chinese, and Edmund Hillary of international cyberthe – that there is an – I think there is negotiations, and, in terms of harmoa lot of opportunity for collaboration. nizing countries’ laws and things so that I just came back from the Asia-Pacific we could extradite people and we could CERT meeting which has 18 countries – we could have parallel discussions and and 44 computer emergency response make sure those organizations are set teams. There – the Chinese are there up, and yes, it is easier to do with likewith the Koreans and the Japanese and minded countries, with the European the Australians, and, you know, A, they countries, with NATO and other people. collaborate very well. But one of the But if you set up, if you have that norm most interesting aspects of it was to established within that group, which is watch the Japanese, the Korean and a pretty serious economic block, and the Chinese team go off to sign a sec- then the knowledge is that, you know, ond – you know, to draft a second ver- that you want to invite people into that sion of a cooperative agreement they’ve norm, that they just – here are the had since 2005 to share information rules, here are the things you have to on political hacking, which occurs all adhere to, here are the laws you have to the time between those countries, so harmonize, here are the organizational that those incidents don’t escalate inter- structures you have to set up, here’s the national security incidents, and – the POC list we need, such that it becomes CERT teams are trusted to go, yep, increasingly valuable from an economic that’s just the political hackers going at perspective to be in that club rather it again over some territorial disputes so than outside of it, that you don’t want to that the governments – and believe me, be the leaderless Afghanistan sanctuary, Japan and China are not allies – when you know, for terrorism, you know, you it comes to a national security situa- want to be the place that’s recognized tion, they find a space for collaboration. as part – as inside that norm circle. I guess – I’ll also make the comAnd that’s how you incentivize people ment that they did this all in English. to come into the norm. It’s because So when we think about cyberspace, they see who is already in it. And so, we might think that that’s a good thing starting with the easy cases, starting with in that the lingua franca of cybersecu- the countries with whom we have likerity is English. The challenge for us is, minded concerns already is the way they know what we’re thinking; do we to, then, sort of create the snowball know what they’re thinking? Because I effect, in my view, to push that norm. certainly couldn’t have figured out the conversation of what was going on in MR. PURDY: There’s also a system any other those teams at that table, so – of enforcing the norms, so that, if people don’t play, you can stop letting them [ 49]

PANEL 2: CYBER SECURITY, ECONOMICS, AND A HEALTHIER ECOSYSTEM

play. You don’t keep them from (playing ?) from anybody else. As part of the ecosystem concept, the idea of saying, if somebody is going to abide by the rules, they’re going to have special kinds of privileges. If they’re not going to play by the rules, you’re going to get more scrutiny to what comes in. So, for example, a local area university – we have – it’s not just protecting ourselves or launching an attack against somebody. A major university in this area, Yahoo.com blocked all email traffic from that university, because the university was not taking seriously cybersecurity. And if you have certain countries that don’t take it seriously, we can, in effect, blacklist, or we can whitelist – you know, countries, ISPs that do cooperate. That’s part of our arsenal and that’s part of an arsenal that we’re not – we’re not using adequately.

Q: Hi. My name is Amanda Pulaski. I’m

a reporter with – inside the Pentagon. And I just had a really brief question for – I’m not going to say your name right, I’m sorry – but Ms. Tikk, you talked about NATO Article 4, and I understand that in international circles there’s sort of a debate between whether Article 4 or 5 should be applied to cyberwarfare scenarios, or both, and I was just wondering if you could maybe speak to that, and shed a little light on that, or what your perspective is on that issue.

The thing is, in practical world, that means that today, up to – up to now, we haven’t had the opportunity to even discuss the applicability of Article 5, because we haven’t really witnessed those incidents that we have so far witnessed. Have not reached, or present to the threshold of a cyber armed attack. Now, Article 4, on the other hand, is applicable throughout the spectrum of cyberthreats. That means potentially also to cybercrime. So if NATO countries see that there is a particular type of cybercrime, or certain issues that are not, for example, faced, or solved by other international organizations such as EU, and they need – they want to consult and then cooperate to make data exchange or investigations tighter between them, they have the authority to do so under Article 5 – sorry, under Article 4. And the same is also true for cooperation that goes for incidents of cyber –national security relevance, that, again, do not reach the threshold of an armed attack, but they are types like Estonia, Georgia, that trigger a kind of play at national security limits.

MR. RATTRAY: All right. We

have time for one more question and probably a brief answer or two.

Q: I’ll make my question quick.

Again, my name is Juan Ricafort and I’m a student here at Georgetown. MS. TIKK: The legal perspective I guess we’ve heard a lot today about to that issue is pretty simple, actually. deterrence, retaliation, attribution. My Article 5 is the only one of the articles – question is about something we haven’t and actually, the one – the article that is heard a lot about, which is resilience, applicable, potentially, to cyberwarfare, and hearing, specifically, Mr. Purdy’s simply because it’s applicable as a trigger and Dr. Rattray’s comments about the of collective self-defense, in case there is need to look at this as an ecosystem and an armed attack against one of the allies. reducing vulnerabilities – the ability to [50] Georgetown Journal of International Affairs

International Engagement on Cyber

recover and to control the amount of damage that is done by any incidents that are executed on the system. It seems like a lot of what we’re talking about here is sort of this emergency management idea of building systems that are resilient and are able to recover. I was – my question is, should resilience be the central pillar of national cybersecurity strategy? And if so, what can we do to maximize that resilience? Thank you.

who are proxies working for nationstates is a huge problem that’s not being addressed adequately in this country.

MR. MULVENON: And I would

just say, finally, that there’s been a major mindset change, which I think is a positive thing, which is one from, you know, higher walls, deeper moats, wider minefields, from one – particularly within people I deal with in DOD – a recognition that it, you MR. RATTRAY: I will agree with know, that we have to have whatever you that I actually do think resilience the buzzword of the day is: defense is probably the most important pil- in depth, active defense, fight through lar. It’s got to be as part of an overall the intrusion, fight through the attack. strategy, but certainly the logic I laid The old SOP was just to simply take the out is, you’re going to have challenges, network offline and go through with a you’re going to have disruptions, you nit comb looking for Trojans and backneed to be resilient in response to them. doors. Well unfortunately, that impedes I think there’s two layers to that. the mission, it fulfills the adversaries’ You can improve the overall ecosystem’s objective. We have to operate our netresilience by removing, you know, some works like I operate mine, knowing that of the threats, the botnets, that the sys- there’s potentially compromised hardtem as a whole, as it gets healthier, you ware and software inside the network. know, I guess it’s implied it’s more resil- That I – you know, this goes to John’s ient as that regard – in that regard. But question about technology. I know every kind of – down to the individual there is compromised hardware and layer, but certainly at the enterprise lay- software inside my network. Whether I er, more of cybersecurity has to be about create virtual encrypted enclaves, whatagility and response, and probably less on ever I’m doing, I have to be able to the notion of, you know, castle walls, and operate within a compromised network. preventing bad things from happening. You know, we can no longer entertain (I don’t ?) know if others – I’m the fantasy of having a clean network. sure others have perspectives that – And so that’s where resilience, to me, is absolutely critical, because that’s MR. PURDY: I would just add the issue the only way to operate that kind of of online theft of intellectual property, I network is through resilience prioriwould add to the resilience. The action ties rather than perimeter security. by nation-states and by nonstate actors

[ 51 ]

Panel 3: Private-Public Collaboration Models Globally MELISSA HATHAWAY: Good afternoon. Hope everybody is doing well.

I’m moving a little bit slow, and some people are asking me, so I’m just going to give the global announcement. I’m just off of eight weeks of medical leave, so if you’re chasing me down the hall, I’m moving really fast – or slow. And so – but I appreciate that I – for Catherine to invite me here and for everybody for the opportunity. I have been working on speaking and writing about the private-public partnership an awful lot. And as many of you know, there are lots of private-public partnerships. And at my last count, last fall there was over 55 in the – in the United States. And I think since then we’ve established more than a dozen more. But one of the things I’ve asked for this panel to really cover is some of the best practices and the lessons learned of the private-public partnerships that they are supporting and leading. And I’m just going to introduce my panel. We have – and I’m going to just go down the – they’re actually sitting in the order that we’re going to speak. So Bill Guenther is the president and founder of Mass Insight Global Partnerships, and he’s been leading private-public partnerships in the Boston innovation corridor for over 20 years that span the academic and industry relationships and incubating the new technologies that we need to solve big problems. To his left we have Dr. Phyllis Schneck, who is the chairman of the board of directors of the National Cyber-Forensics & Training Alliance up in Pittsburgh, Pennsylvania. She’s also the chief technology officer at McAfee and the chair of InfraGard. And as – leading multiple private-public partnerships in information-sharing environments for the – between the government and through the industry, she has a lot of insights that she’ll be sharing with us from an NCFTA and a broader perspective. To her left is John Nagengast. He is at AT&T, driving a lot of the operational private-public partnerships right now within the – and between the government

[52] Georgetown Journal of International Affairs

International Engagement on Cyber

and the private sector, and has a long career, distinguished career at NSA, and brings a broad-based perspective from the Internet service providers in a tierone telecommunications carrier. And as we look and turn to the telecommunications carriers perhaps to carry more of the burden, he’ll be able to discuss what that means and the much bigger picture from an operational context. To his left is Eric Werner. And Eric is now a principal security strategist at the Microsoft Corporation. Prior to that, he served at the White House and helped me write the Cyberspace Policy Review. Prior to that he was at the Department of Commerce, and prior to that he helped stand up the Department of Homeland Security. Eric’s going to talk to some of the unique mechanisms that now the private sector can turn to the government for facilitation of that partnership. And then finally – not – we have Mr. Kristjan Prikk from the Embassy of Estonia. He arrived here in August of 2010 and is representing a broad portfolio for the Estonian government here in Washington – not just national security issues, but many of the issues. And he’s going to be giving us a perspective, because he served in the ministry of defense prior to coming to the United States, of what it means to actually operationalize and get the private sector to restore the infrastructure, and the lessons learned from an Estonia perspective. So I’d like to kick it off immediately to my panel, but for the tagline I’d like you to think about – is we got to think big, start small and scale fast. And what are the key things that we can take out of each of these private-public partnerships so that we can get to a more scalable model to address this in a global situation? Thanks.

BILL GUENTHER: Thank you.

Thank you. And I’d particularly like to thank Catherine for the quite extraordinary job of organizing this day. I know what it takes to do this, and she’s done a really, really terrific job with a great group. And I want to thank Melissa for leading this panel. I’m going to talk very – I’m going to first of all run through some slides that are part of our business plan for the advanced cybersecurity center located at MITRE in Bedford, Massachusetts. These have a lot of detail in them. They will be available to you, for anyone who’s interested. I’m not going to go through a lot of the detail in specifics. What I do want to do is just create a quick context for these kinds of centers, broadly speaking, as regional R&D centers, talk a little – a little bit about where we are in the process and what the objectives are, and then close with some lessons learned. We came to this center really through two streams of activity. One, in the last 10 years we’ve focused a lot on the connections between universities and business and ways to connect the dots within a region in terms of the intellectual assets that span the commercial and the academic side, and particularly large-scale R&D centers. And secondly, we did a study with McKinsey on the IT sector a number of years – about four or five years ago. And Bob Nesbit, a senior vice president for MITRE, was part of our advisory group. And we were looking for strategic opportunities where, again, we could pull together assets in the region and be a national player in terms of solving national and global challenges, and also, obviously, create competitive advantage for all the organizations involved. [53]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

And Bob specifically said that the APT, the advanced threats, were not being responded to effectively; that it was not a problem single organizations could solve on their own. And he was very interested in cross-sector play between the financial-services sector and defense, because each sector thought differently about strategies to respond to the advanced threats. And so that’s really the genesis for this work in this center. So first point, context. We think in terms of talent clusters: that if you’re thinking about regional, particularly technology-based economic strategy, it’s about identifying pools of talent and then pulling those together in effective combinations, and also about guiding universities to produce the talent to feed that cluster, both the supporting talent and the stars. It is important – and I think we all recognize that proximity still matters, that having people able to deal face to face within a region creates activity that wouldn’t occur otherwise. So one way of thinking about this is really a combination of regional centers around the country and around the world that are then networked in productive ways and facilitated. So very simply, as I mentioned, flagship R&D centers as a place to bundle and broker assets. It doesn’t mean the center is doing all the things directly; it means that it’s acting as an intermediary between different kinds of assets and an incentivizing organization, sometimes even a funding organization for separate projects. The advanced cybersecurity center is, as I said, focused on the assumption – and this slide is based on all the interviews we did in the business-planning [54] Georgetown Journal of International Affairs

process with our 16 charter members along with others in the region – but it is based on these three fundamental assumptions: that the APT is a major threat, and that it is not a threat that can be solved by single organizations. The – there is a fundamental assumption in here too that any organization that collaborates with others is going to raise the sophistication level of its staff. So if you think of this as basically creating the Navy SEALs of cybersecurity, that’s one of the goals of this collaboration. At the risk of offending an organization that isn’t represented here on the slide, or somebody who feels they’re in the wrong space, this was an effort – and PwC Consulting worked with us on doing an environmental scan of existing collaborations around the country – and then we put them into this grid based on the vertical being information – informational at the low end to actionable on the top end, and then known threats to new and emerging threats along the horizontal. What it is intending to show is this white space in the upper-right-hand quadrant where we are not collaborating to produce actionable information and R&D to deal with the advanced threats that are new and emerging. This represents schematically the current partnerships. And I want to emphasize that this is a center in launch phase. And I’ll go through exactly where we are in a later slide. But essentially what we’ve said is we’re building on a regional base that connects the end user community on the left-hand side, the broader business community, with the supplier, the vendor community, and with educational institutions as partners. A critical differentiating piece of this

International Engagement on Cyber

is that it is a cross-sector collaboration, so it includes financial services, the defense non-profits, MITRE, Draper, Lincoln Labs in the region, as well as utilities, health care. The Federal Reserve Bank of Boston, it turns out, has national-perimeter-of-defense responsibility for the entire Federal Reserve system, so we’ve got some real sophisticated staff up there, and they’ve been a major partner with us. But again, on the national level, the effort is to connect only to the federal agencies up in the national cybersecurity framework and then with the existing security cooperatives in other centers like this around the country. The – functionally, if you look at the work that will be done in the center, the core of it is on the left-hand side where it says “shared threat data and response strategies.” So there is being set up currently – and MITRE is developing the collaborative software for this – a threat-evaluation/data-sharing capability that will bring together, again, the initial 16 or so organizations involved, and then we hope another 10 or 15 that will join with them. That threat evaluation and data-sharing is intended, however, as a platform for R&D. And that’s where you see on the right-hand side the “develop nextgeneration solutions.” We think it’s also distinctive that the center is focusing on a public-policy informational capacity. And we have a terrific policy committee that’s in formation that Jack Goldsmith at Harvard Law School is chairing with us. And then underneath that, under regional leadership, we are putting a major emphasis, something we’ve – actually is the easiest consensus-builder among members around the fostering

of talent, the ability to bring the industry side together with universities, to look at gaps in the education programs, to encourage universities to either create new degree-granting programs, certificate programs or internships and workstudy is obviously a critical advantage. In terms of our actual work, these are the work groups at the bottom here. The policy legal work group I just mentioned. Threat evaluation/data sharing, that’s being led by Matt Richard, a senior staffer at MITRE. And the industry education work group that’s bringing together the university and the industry assets. The executive director, just to be clear, is, in essence, Mass Insight at the moment. We are in the process of working with Foley Hoag, a law firm, to file for the nonprofit. And when we go into full launch phase in 2012, the budget would then support a fulltime executive director. The steering committee is the currently – is currently the operating group of the 16 members that’s driving the process. So another way of looking at this is to think about the different kinds of staff that are connected through a collaboration of this kind and the different levels of sophistication. At the top clearly are the elite security experts from the companies, who we are starting to bring together. And in the mid-level are the front-line staff. We have had a technical operating group for about eight months where some of those front-line staff have been meeting on a weekly basis and spending a day together. In terms of where we are in the process, again, this is a transition from business planning to full-scale launch, 2010. We put together the small-scale technical group; the steering commit[55]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

tee led a three-year work plan effort, which is completed. We are now organizing the work groups, 2011, setting up the legal and governance and working toward a full-scale – or a large-scale regional conference in the third quarter. In terms of lessons learned, the – I wanted to run through, just quickly, some opportunities, challenges, and some of the lessons. The first point, I think – and having worked on a number of other collaborations of this kind – we attempted to put together a drug-development/biomarker imaging center a couple of years ago and never got enough consensus and closed it down. What’s interesting here is really the increasing perception of the threat. As everyone said this morning, this is not an invisible problem today, and that helps a lot. And secondly, I think, the widespread recognition among the major users like the Fidelitys and the State Streets, the Liberty Mutuals and the John Hancocks, all of whom are members of this consortia, that they can’t solve this problem on their own and that existing tools and resources aren’t doing it for them. I want to emphasize, this kind of collaboration is not an effort to replace commercial products. It is focused on integrated strategies, and it is – the reason we can get vendors to the table, like EMC, RSA, Microsoft and others, is because it’s helping guide them towards solutions that they will develop in the future. So it’s pre-competitive. In terms of the challenges, certainly aligning partners with different levels of sophistication, financial services defense at the top of the pyramid, probably health care lower down, utilities somewhere in the middle. [56] Georgetown Journal of International Affairs

Secondly, there’s been already comments about business disincentives to share information. Obviously, that’s an issue with government as well, so getting over those hurdles. The two next bullets, “fostering trust” and “defensesector restrictions,” really fall into the same bucket. And broad-scale, it’s about, you know, how do you create the confidence among the members of the consortia to actually open up their books? The fact is that, you know, even down to the level of individuals – the individuals who are doing the work and the background checks, the security checks, you know, those are all issues that have come up in the participation agreements that we’ve worked on. Defense-sector restrictions: As you all know, the private-sector companies are using foreign nationals extensively. The defense sector doesn’t allow it. And how do you deal with that problem? And finally in that category, the funding assumption. This is an industryled consortia. The assumption is – and what – the way we’ve been operating is that industry puts up initial membership and provides the initial funding. You hire only an executive director, and then you go out and get significant federal funding through contracts and grants and projects. The issue of quantifying risk and having CISOs and CIOs – and some of you are represented here in the room – able to convince CEOs and senior executives that this is worth investing in and how much is it worth investing in it, is a hurdle. And, you know, everyone has said that the difficulty of quantifying the risk is a problem. So finally, lessons learned. First of all, regional centers are manageable in scale. You’re dealing with a small member-

International Engagement on Cyber

ship base. You’ve got 25 people around a table. You can actually manage that group, as opposed to a hundred or 500. That group is intended to produce value that will then get disseminated out to a much broader group. But it’s manageable to do it at the regional level. Secondly, phased start-up. My experience with universities is they are wonderful places with extraordinary assets, but they tend not to be top-downdriven. So establishing partnerships with universities is even more difficult than it is with industry. So start with industry, get the industry funding. And some of our university partners told us the same thing: start with the industry side and the universities will come along. And that’s what we’ve done. Organize around the IT users, because obviously the vendors present particular challenges in terms of IP that State Street or Fidelity don’t. And finally, as I said before, education and talent is an incredibly easy consensus-builder. Everybody’s interested in building the talent base, particularly in regions where they can tap into it. The final point I’d make is, I do think the federal role is to encourage some of the existing centers, to build support for them, to build funding, to stay out of the way where they need to stay out of the way, but basically to allow these centers of excellence to grow up and then help them connect to each other.

PHYLLIS

SCHNECK: Good

afternoon. I forgot which mic I’m supposed to be using. So thank you. I want to first start by thanking Georgetown University, thanking Catherine, thanking Melissa, and certainly the panelists that preceded us this morning.

There’s a lot of good guidance. We’ve had this meeting – somebody joked yesterday and last week that we’ve had this meeting several times, and we don’t want to reiterate this same meeting for you after lunch. But I’ll try and give you some different kinds of insight that we’ve had on this information-sharing problem. So little bit – my background is actually high-performance computing and how to do that more with cryptography. And you learn very quickly in the world of security that none of that technology is very effective if we can’t do – as Mr. Moss suggested at one of the lunch talks – find what we believe in as a country and as a world and use that technology. Because you can’t solve a people problem with technology. Going back on two comments that really resonated this morning, Congressman Thornberry said cyber needs to be elevated – I’m paraphrasing – but elevated to the highest levels of private industry; and certainly General Hayden, who pointed out that even an F-22 is a node on our network. So if you think about the fact that we’re all connected, we’re all interconnected, everything we live and breathe, that cyberresiliency is absolutely fundamental to our way of life as a country and as a world. And that way of life then is fundamental, and our ability to understand as both private sector and government, the pieces of the cyber puzzle, be able to put them together and be able to push them out to protect, in two ways. In real time, making our network fabric resilient. Just as your body fights a cold, we shouldn’t have to know the name of the virus or have a signature to it to fight it. We just fight it off. And the second way is, in human

[57]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

time, to put some understanding around it. A lot of people have a lot of interest in this. This is a very fun thing to look at, very exploratory. But who’s behind it, what’s the motivation, that obviously moves a little more slowly. I come back to a story in 2003 when I had been chairman, as Melissa mentioned, of the private-sector side of the FBI’s InfraGard program. And we briefed a foreign government on how we did private-public partnership just in that program. And I remember one of the citizens there telling me, this is so different, because – and she said to me, in your country, the private sector does what they want, and so you can lead a partnership. She said, here we do as we’re told. And she said, you’re very lucky that you can do that. So as we think about that, I’d offer that as some insight as we build these partnerships. This is an opportunity as private sector to take everything that we know, the eyes and the ears, the information that we see around these networks, and put it together and work very quickly with each other as partners, competitors, colleagues, and with our government. I know that it’s not always the easiest, having been in some of the trenches that others have been in as well. But this is something that we have to do. And on those principles, that is a foundation upon which the National Cyber-Forensics and Training Alliance is founded. So I currently serve in my volunteer time – whatever’s left after the CTO of public sector role at McAfee – in chairing the board of directors of the NCFTA, as we’ll call it – the one acronym I’ll try to use today. And the principle of the NCFTA is putting under the same roof and under [58] Georgetown Journal of International Affairs

the same organization your fraud analysts from different sectors, from the better part of our financial sector, pharmaceutical sector, transportation. And we’re expanding. We’re looking at energy. We have telecom well represented, and having – to the point made earlier – the highest levels of private industry represented on our board, several of the major sectors represented there, and then having their – some of their fraud analysts in our labs, working with the information that they get from their companies, from partner companies. It comes into a 501(c)(3). So it’s private sector sharing with private sector. And then walled off within the same building, same complex, we actually have an – part of an FBI cyberfusion unit. So when the private sector’s ready, the analytics can go over there. So on some of the specs, we have a hundred sponsoring partners now; 30 percent of our funding is private sector, 70 percent is still federal. We have 45 live staff members, had the privilege of meeting a lot of them a couple weeks ago; just some of the best talent in the country that’s chasing down some of the worst adversaries in the world, and able at the right time to give it to law enforcement, leading us to a presence in 34 different countries, relationships that we’ve leveraged from the FBI, from law enforcement, to have those relationships overseas so information can be passed. And my favorite one is 300 arrests of cybercriminals worldwide to date. And the organization really just kicked off – you know, founded in 1997, but really found its legs, I would say, a few years ago. And a lot of the credit goes to our CEO, Ron Plesco, for standing through what most of you know is a tough industry and

International Engagement on Cyber

a tough goal, and really making this work. We bring the trust together of the companies, their partners, their colleagues, their data. We have a back end where it’s supported. We look at things like chain of custody to make sure that the FBI can use the data that comes in, or DHS or our other partner agencies, ICE and others that are partnered with us. There are several. And you look at how you can actually take that evidence and make it work in a court. Often companies don’t keep that the right way. We do at the NCFTA, so it can go and put bad cybercriminals in orange jumpsuits. So you combine the trust, the speed. We maintain control of it as a privatesector 501(c)(3) until a company allows us to give the data to law enforcement. You know, that’s very important to another point that I’ll make. The cyber criminal we face is fast and strong and better than we are, and that’s why we’re losing. They act, they share information, they have absolutely no barrier to entry to share. They – they’re criminals, so their way of life is not dependent on intellectual property or legal barriers. They execute. The only that we as a country and as a world can execute private-sector and government is to be faster and take back the infrastructure that we own, use our ability as companies all over the world to see the activity across the world, to correlate that, to put it back into the network fabric so that we have that cyber immune system that so many are saying that we need, so that your network fabric can defend something from reaching its target, even without knowing its name. Great point made earlier, I believe by Mr. Carr, when he said the signature model – again, paraphrasing – but

the signature model doesn’t work. It doesn’t. And I eat from a security vendor, right, the biggest one in the world. But the signature model is over. We and our colleagues look at how you work with behavioral analysis, and in real time as well as in human time. And the way to do this is to build these partnerships. So the NCFTA is one model that works internationally. It’s not the solution. It’s a hard-driving component of something that we need to leverage the existing information-sharing and collaboration organizations that we have. But I’ll end with a little bit of a war story. And that is, when you’re on the phone, looking – we have several of these advanced persistent threats – I shudder at that term, because it’s a little bit more these days, like the advanced persistent marketing threat. Everybody out there likes to use that term. But there is an adversary that loves to look in your system, gets in there; not so terribly – not so hard to do it; they look at your information. They either want your information, future information, what you’re doing. But they’re there. And once we’re able to look at one of these adversaries, we work with our partners all over the world, both the NCFTA and other companies. There’s a good-guy underground. And you put that information together and you start to build a picture. And then you end up on the phone at some hour of the morning understanding that, look, this must be the same adversary because they’re obfuscating what they’re doing in exactly the same way as we’ve seen on XYZ date. And we believe it’s coming from this part of the world because of this reason. And look, they’re going for nine [59]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

or 10 companies in the same sector. But we can’t give that to law enforcement right now. We’re not protected to do that. It could cause material events for shareholders. It could cause other data release. So we sit there as private industry saying, we want to do this faster. And we watched this happen in the NCFTA not so long ago. So we need to use groups like this to figure out how do – how – not building another organization; how do we work together to be able to share that information over so that we retain control and we don’t lose out to this adversary? So with that, I will thank you very much and look forward to your questions.

you see the market starting to recognize the need for enhanced security. Our lunch speaker in the group I was in talked about the fact that Windows 7 is much more security-robust than some of the previous versions of Windows. And we’re doing a lot more in the cyber space today as a carrier service provider. There’s a debate going on, obviously, about could we do more, you know, how do we partner and how do we collaborate. But we are going in the right direction, simply because the market is starting to turn the corner and understand that cybersecurity is important in all of this cyberspace. We don’t even have a definition we agree on. I think the Europeans refer to it as ICT. We’re JOHN NAGENGAST: OK. Well, good kind of talking about cyberdomains or afternoon, everybody. And I think there’s cyberspace. But it’s this whole intercononly thing one – the only thing worse nected infrastructure that we’ve crethan being in the panel after lunch is ated, and nobody really knows how it being the third speaker in the panel after all – how it all works in a complete way. lunch. So I’ll try to keep it light and fast so But that’s not a market failure, and I we can – we can keep everybody moving. think we are responding over time to I want to start out with – disagreeing the – to the demands of the market. with something my former boss Mike The other thing I want to say is we had Hayden said. When I was at NSA, my some China-phobia and Russia-phobia. last five years, I worked for Mike. And And the model I’ve always worked on he mentioned something about mar- in the long time I’ve been in the busiket failure. And I want to start out by ness, both at NSA and the private secsaying there is no cybermarket failure. tor, is trust no one. Globalization has All the companies in cyber – most of made the idea that you can localize them, at least – are doing very well. the threat to one particular country or And he got a look at it from a private- one particular set of bad actors – it just sector perspective. Companies are in doesn’t compute anymore. You got to business to make money for their share- really operate on the basis that I can’t holders. That is their single objective, trust anything in my infrastructure. whether they’re doing virus detectors So then I go on from there and say, or any – or providing communications now, what do I want to do about that? services. You got to start with the prin- I want to – I want to be able to tell ciple that they’re there to make money. when something is misbehaving in my Anything else is a secondary objective. infrastructure, irrespective of whether it So there’s no market failure. And has an American brand logo on it or a [60] Georgetown Journal of International Affairs

International Engagement on Cyber

Chinese brand logo or a Russian brand logo. Because that’s almost immaterial in the – in the world that we work in. In fact, it’s not at all surprising that we – this was mentioned this morning – Symantec and Huawei formed a research partnership. That’s what globalization is all about, is reaching out into the various technology bases around the world to expand your business. And that’s what they’re doing there. You know, we can question some of the motives, but basically they’re doing what a company is – any company is going to do. They’re going to try to expand their reach into the global marketplace and expand market share. And we shouldn’t be surprised about that. What we lack in the United States is a real strategy to deal with the globalized environment that we’re operating in today. And I’ll – we can come back to that in questions if you’d like to. I’d like to – you know, since I was asked to talk about private sector and collaboration, let me say that, number one, AT&T, as the largest communications service provider in the world, takes cybersecurity very, very seriously. We have a large, well-organized effort focused on detecting bad activity in our network and attempting to mitigate it before it reaches our customers. That’s our – that’s our single, you know, philosophy, is: We don’t want to deliver it to the end user. If you think about the world as it’s going to exist in the future, you got mobility – mobile devices, cloud computing and information applications stored in the cloud. And in the middle is this telecommunications infrastructure, the network, the Internet, if you will, that ties it all together. The way you’re going to stop cyber-

threats in the future is by detecting, from a behavioral perspective, malicious activity and stopping it in the network. You don’t want to connect the cloud and the mobile user together – you know, from a malicious perspective. So that’s the way we approach it. And I think we’re involved – and we try – every six months or so, we try to count how many partnerships of collaboration, public–private-sector, are we involved in as a company. And I don’t think we’ve ever been able to get to ground truth. Sometimes it’s, like, 30, and then we count it again – well, it’s 35, and then it’s 40. And it goes on and on. And one of the points I’d like to make here is, most of the collaboration, the private-public and the private-to-private collaboration that’s taken place in the past, has been mostly post facto. It’s kind of like, well, what did you see last week? I saw this. Oh, OK. Well, what did that look like? And then I saw that. What did that look like? And then we compare notes. What we really should be focused on is what’s happening right now and what’s likely to happen next week and how do we stop it before it achieves its objective. That’s the only way you’re going to get ahead of the threat. And we’re not going to get there by regulating the industry or trying to impose the Australian model on the cyber – you know, the providers. You’re going to have to deal with, how do we operationalize – I think Phyllis talked about this – we have to move at the same speed or faster than the bad actors in the world, whether they’re cybercriminals or whether they’re nation-state-sponsored or associated. We have to be able to move faster. And the only way we’re going to be able to do [61]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

that is by automation of sharing. And I’d like to use the term “active defense.” I think that my friends in DOD use that occasionally. And we got to really be able to detect the malicious activity in the network infrastructure and stop it before it achieves it objectives. You’re never going to be a hundred percent successful in doing that, but that’s clearly one of the foundation elements we have to build on for the future. When you think about – so how do we do that? There’s a set of players, obviously. You know, we talked about service providers. We use the term ISPs. Let me – let me just give you some context. In the world of the Internet, the way the global infrastructure has evolved, it is basically a set of autonomous systems operated by independent, mostly private companies, some very large – the AT&Ts, the Verizons, et cetera, the BTs, NTTs of the world. And then there’s lots of little players. There’s literally – I don’t know, Steve, do you know how many autonomous systems there are? Three thousand, 4,000, at least, maybe more? A lot. There’s a lot of them, OK? And it’s not a neatly constructed hierarchy, OK? It’s not like, well, this guy’s doing a bad thing, so I’m going to shut him off, I’m going to disconnect him. It doesn’t work quite that way, OK? If you’re a third-tier – second- or third-tier provider, you’re connected in multiple ways through multiple venues. And there’s – it’s almost literally impossible to say, I’m going to shut, you know, company, you know, ASN-XXX down because they’re not behaving well. What you’re going to do is just create another – they’re just going to find another path to get past the things that you’ve been looking at.

[62] Georgetown Journal of International Affairs

So we really have to think about – holistically about this infrastructure, and clearly, being able to work with the responsible players and the larger – you know, the tier-one carriers, where there’s a lesser set of those and they typically tend to be responsible. They don’t want malware on their – on their networks; they don’t want malware-distributing servers on their networks. But it’s going to take cooperation and collaboration and an operational perspective to be able to deal with that. And we don’t have the mechanisms in place to do that. One of the issues is basically, in the United States, is we don’t have a legal framework. I think Phyllis touched on this. As a carrier service provider, we’re subject to all kinds of laws and restrictions about who we can share information with about what our customers are doing. If you look at the body of law in the United States, the Electronic Communications Privacy Act and the Stored Data Protection Act and all the laws that have been written over the last 30 or 40 years having to do with some dimension of electronic surveillance or privacy in, you know, cyberspace – which is a term that’s not used – basically, nowhere do you find the word “cybersecurity.” There’s nothing – or nowhere is it defined that says for cybersecurity a carrier service provider can do the following things. Everybody – we’re all in the same boat, by the way. Phyllis mentioned it from a, you know, McAfee perspective. But we want to protect the privacy of our customers just as well as anybody else. And the body of law does not really support real-time operational sharing. So one of the things we think the Congress can do in the near term is

International Engagement on Cyber

start to tackle that problem. What are the legal modifications necessary to our current structure to enable us to do a better job of public-private sharing while we maintain the privacy of customer protected information? That’s essential, and we don’t have that capability today. You know, I will – I’d like to close just by saying that, you know – we were talking in the back room about what keeps you up at night. You know, what keeps me up at night is the United States is no longer leading in the technology space, the way we’ve enjoyed over the last 20 years or so. If you look at the international standards bodies, where is the nexus of energy coming from? It’s coming from a lot of different foreign countries. We have become much more passive as observers in those fora as opposed to leaders in those fora. And that’s the scary thing for the future. If you want to define what the future of the global infrastructure’s going to be, the Internet, you got to be in the leading position. And we’ve kind of lost that bubble in the United States. There’s a variety of reasons for that. Other countries have strategic visions and we don’t. But we’re going to have to figure out how we can regain that and regain some of that global leadership. We also are – you know, I think global cooperation in cyber is improving in the law enforcement space, but we have a long way to go. Shawn Henry’s doing a great job at the FBI, but we can dump more cybercrime in his lap than he can possibly pursue, so we’re going to have to think about, you know, how do we, you know, provide additional resources into the law enforcement community. Because, you know, what we see, basically, in our

network infrastructure – 90 percent of it is cybercrime of one sort or another. People are out there to make money and they’re very creative in doing that. You know, the latest twist – and I’m going to stop with this – is now I’m not going to have to trick you into downloading malware. I’m going to sell it to you in – packaged in an application. I’ll set up my own little app store and I’ll sell you the malware and you’ll pay me for that and then I’ll – and I’ll profit from downstream. So innovation in the – in the bad space is very, very rapid. We have to be able to innovate even faster, you know, from a defensive perspective and a technology leadership perspective. And that’s – I’ll close with that, because I want to finish on time.

ERIC WERNER: Well, so if

being on the panel after – third on the panel after lunch is the worst spot to be in, I’m – I talked to Kristjan – I’m not sure exactly where that leaves me. (Chuckles.) But it is a pleasure to be here. Thank you all for sticking around for the afternoon session. I’d like to add my thanks as well to Professor Lotrionte and to Georgetown and to the Atlantic Council for sponsoring this conference. It has been an enormously informative opportunity for me. It’s a pleasure for me to be here; a pleasure as well to be on this distinguished panel and on a topic of – an issue that I consider to be of particular importance, which is how we approach partnership generally, the public-private partnership in particular, and what we can be doing to drive it forward more effectively. We’ve had a very rich discussion today. [63]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

Clearly there have been a number of themes coda throughout the day, recurrent. I will try to be brief as well so we can get to the question-and-answers. I’d like to start by just touching on what I consider to be an important focusing principle when we talk about partnership. Describe a little bit the vision that helps to motivate some of the work that Microsoft has done in this area, and then focus on some of our recent activities. Clearly we’re very involved, as AT&T and others are, in many of the partnership activities both here in Washington and throughout the world. But there are a couple that I think demonstrate some unique ways of approaching it, and sort of illustrate the points that – the themes that I think Melissa hit at the beginning, which are think big, start small, and scale. So with that, I’d like to begin by talking about one important focus principle, and that is – and we’ve been talking about partnership, the public-private partnership, for over a decade, tracing it back to PDD 63, at least, if not before then. And we have a tendency in a lot of our discussions to talk about partnership as if it is the thing, it is the objective. Greg Rattray noted earlier I think a very prescient point, that security, we should recognize, is not the end – the goal of itself. It is a tool, it is an enabler to support what we’re trying to do with the systems that we’re seeking to protect. Partnership’s the same way. We shouldn’t talk about partnership as the objective in and of itself, but partnership is a tool to an end. It’s not the what, it’s the how. And in that regard, we need to recognize that partnership, public-private partnership – you know, that partnership and col-

[64] Georgetown Journal of International Affairs

laboration comes in many different forms and we need to think creatively and flexibly about how we build our partnerships and where we take them. More important than the partnership is the outcome. We need to be very outcome-focused and identify concrete goals and objectives that we can drive towards, using a partnership approach, to get to outcomes that have a meaningful impact to improve security and improve the ecosystem. In international collaboration especially, we need to be thinking about how we build these partnerships. And we need not just public-private partnerships but, with the challenges that were outlined on the panel earlier, I think it’s increasingly clear that we need government-to-government partnerships, we need greater collaboration and discussion at the state-to-state level. We need public-private partnerships, but we also need more effective collaboration between companies, and not necessarily in broad fora. As some of the – certainly the NIPP structure that we have at DHS is very strong, the CIPAC and the sectorcoordinating council and government-coordinating council structures are very, very useful. I helped to build them when I was at DHS, and I recognize the value of creating a forum in which the government and the private sector can engage more fully. But that doesn’t represent the sum total of the mechanisms in which we can be engaging with one another. And more targeted, focused engagement I think can effectively be used to establish coordination models that can then be developed through proof of concept and then scaled more fully as we work through the incentives and the disincentive issues,

International Engagement on Cyber

some of the business process issues that John identified in his remarks, that we do continue to have to work through. So with that in mind, let’s talk a little bit about the vision that backs up the work that we do in some of our partnership activity and some of the work that we’ve done recently. Scott Charney has talked at length about the context for the threat environment that drives some of our thinking. We’ve heard those themes echoed here as well today. There are many malicious actors, many motives. Low-cost technology, widespread connectivity makes – provides low barriers to entry for motivated bad actors. There are motives to engage in crime on the Internet, espionage, both economic and military, and all the way up to state-sponsored activity. Some of those we can grapple with as the private sector. Others of those are more clearly in the ambit of state responsibility. So we need to look and identify where we can have the greatest impact. But in addition to the malicious actors and the many motives, we also recognize that similar techniques are being used. In talking about the dialogue earlier about whether we should be looking to treaty-based models for controlling cyber resources, we need to recognize, cyber tools, cyber techniques, unlike nuclear weapons, are not chiefly the province of nation-states. You know, we have creative people at our company who for years have been developing software. And as Jeff Moss noted at lunch, the people who are developing the exploits are not nation-states. They’re creative people out in the public domain. And therefore, we have to think differently about how we go after some of these threats. The speed of attack certainly, and the

difficulty of predicting consequences, and the fact that the worst-case scenarios, as we talked about, can be very alarming, contribute to the environment in which we have to work. But perhaps the most important feature, and one that has run through a number of the comments that we’ve heard today, is the characteristics of the environment. Call it a domain or not, call it cyberspace. The fact is that the environment in which we operate is a shared and integrated one in which all of the things that we do, all of the values, all of the things that we propose in the infrastructure and in the virtual environment that it supports operate and coexist together in an inextricable fashion. Users operate together side by side. Citizens, businesses, organizations, governments. And the uses, whether they’re social, cultural, speech, commerce, national security, all of these are intertwined. And the difficulty of that is, it’s very difficult to unpack and segregate them when you try and find solutions. That’s important, because, as Congressman Thornberry said in his remarks earlier today, there is a temptation – it’s easy to fall into the temptation to believe that what we need is a single master plan. The fact is that it’s very difficult to come up with a single master plan that will address everything, because the conflation of all of those uses and users together means that the issues they present are likewise intertwined and intertangled. And it’s very difficult to take an action in one place that doesn’t have an impact in one other area. So when we look at issues like supply chain, for instance, we recognize that the steps that we want to take come into conflict with one anoth[65]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

er, because it’s often – the solutions that we propose will often put our values in contention with one another. So in that environment, we also recognize that the environment is changing. We have a proliferation of devices, so the challenges of connectivity are getting even greater. ITB-6 is going to exponentially increase that. We also have the fact of persistence of data and the persistence of memory that attends it. So issues of identity, privacy come to the fore even more strongly. And we have an increasing role of governments. As the discussions here today have illustrated, governments that were once willing to sit back and allow the Internet to grow unencumbered are beginning to scrutinize much more carefully what role they ought to have, whether they ought to be exercising greater regulatory responsibility, reasserting sovereignty rights and the like. And as a consequence, that – all of these factors condition the environment. Now, we have looked at these issues through a – an ecosystem perspective rooted in a public-health model. Greg Rattray alluded to this earlier, talking about sort of the holistic approach. And in that, we have – we have taken an approach to response to some of these challenges by evolving the defensive postures of the past, which started in individual protection, individual defense, where we had enterprises building firewalls, configuring their desktops and essentially trying to, you know, build walls and moats around themselves to an expanded vision of collective defense, leveraging the capabilities and opportunities that we as a community on the Internet can undertake to more effectively defend [66] Georgetown Journal of International Affairs

our systems by leveraging the opportunities of our positions and working in better concert with one another. What we’re seeking to do is apply these principles to move beyond just observing the badness to trying to promote goodness, to be more active about promoting machine health, working at an – working to achieve an environment where we are seeking to get to block and defend against infections in the system, and then seek to help end users clean up their systems and maintain a better state of system health. Our thinking has evolved over the years as we’ve developed some of this. So, you know, we recognize now that simply turning it over to the ISPs to block and quarantine doesn’t align well with some social expectations or existing business models. We recognize that there has to be a greater emphasis on user choice and control. And so we’ve begun to explore these and seek more flexible options for applying them. There is an important difference, however, in the public health model versus – the public health models applied to cyberspace versus actual public health issues. And that is that biological pathogens aren’t affirmatively malicious; cyberadversaries can be. And therefore we have to adapt our approaches to address that. So what have we done in order to address some of these issues? So very quickly, the best illustration of what we have done in this space is to leverage our capabilities, leverage the legal system and partnerships with the ISPs and the research community to move in the area of botnet takedowns. Very quickly, a year ago many of you probably heard coverage of our work in February 2010 to

International Engagement on Cyber

bring down the Waledac botnet. At that time, we were able to attain a court order to sever 277 domains believed to be part of the botnet, severing command and control for that, bringing down about 70,000 to 90,000 infected computers. Through subsequent cleanup efforts with ISPs and CERTs around the world, and some of the natural decay in the botnet itself, we now estimate that there are about 22,000 remaining infected IPs as of March of this year. Building on this, more recently we extended this even further, into the work that was recently announced in the press of the takedown of the Rustock botnet. Among the largest of the botnets, it was estimated to be responsible for 40 to 60 percent of all global spam and capable of sending up to 30 billion spam e-mails each day. We estimated that at its height there were 1 million infected computers. So we built on the learning that we took away from the work on the Waledac case a year ago, and this time we were able to develop a complaint in partnership with Pfizer. Pfizer was one of the impacted parties, because the botnet distributed a significant amount of spam on counterfeit pharmaceuticals. We went after IP addresses rather than the domains. The court order allowed us to capture IP addresses and seize effective servers and hard drives from five hosting providers and seven locations across the United States. What’s important about this is that we couldn’t have done this alone. We did this in collaboration with industry, academic researchers, law enforcement agencies and governments around the world. We worked with Pfizer, the network security provider FireEye and security experts at the University of Washing-

ton, all of whom provided declarations in support of our complaint in order to get the relief from the court. We also worked with the Dutch high-tech crime unit within the Netherlands and with China CERT in order to dismantle part of the command structure for the botnet operating outside the United States. Cleanup is also important, and we are also working with the ISPs and with CERTs to continue our work, to notify customers and to seek remediation of the infections on their computers. I see I’m out of time, so I will wrap up with that and leave it for questions. Thanks.

KRISTJAN PRIKK: Thank you.

Good day. This morning I actually thought that this is not going to be that good day. I missed my – I missed the speech of General Scowcroft and most of the first panel due to a minor car accident. But the conference has really turned my luck around, and I feel that this is one day worth living. (Laughter.) So I want to thank – I want to thank Georgetown University. I want to thank Catherine and Melissa very much for this opportunity. Anyway, I’m going to give you a short insight into a – the way Estonia has organized or benefited from the public-private partnership on a national level, how Estonia has used public-private partnerships to build up its national cybersecurity. And I’m not claiming that this is the right or wrong way. I’m not trying to say that this is the model that any or all of the countries should copy. But I’m just saying that this is something that we think does work in Estonia. Now, before – OK. I have to also stop for a short while on the sort of Estonian [67]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

context, or – I do think that Estonia actually is somewhat different than most of the other countries, so I have to also prove you why the public-private partnerships may work better in our case. So Estonia – first thing that really sets Estonia very much apart from the U.S., for example, is that Estonia is not a big country, it’s not a small country; it’s a very small country. We only have 1.4 million people. So it’s just a(n) almostdecent-size city here in the States. So this brings some of the benefits as well as some of the down sides. But Estonia’s also very different from many other countries in the – in the sense that, whereas we have a lot of countries where Internet penetration is low and almost no e-services exist, we have an increasing number of countries where the Internet penetration is getting higher and higher and people are using the – mostly private-sector-provided, Internet-based or mobile-based services. But Estonia really has struck a balance where we have a balanced, very high demand and supply of e-services from both the private and public sector. In many or, I would say, in most cases, these services have a mix of government and private-sector input. And e-solutions are very widely used and dependable in the society. I just brought a short list for you, to show the sort of range and diversity of those services that are widely used. As I say, there are – 98 percent of all bank transactions are conducted online. I’m so young that I’ve never had an Estonian checkbook. I’ve – I hardly visit any bank office at all. I mostly do everything online. Ninety-eight – 92 percent of tax declarations – this was the last finding – were submitted online. [68] Georgetown Journal of International Affairs

And I’m saying this as not just a modus to – a mode to send your tax data using telephonic channels, but this is actually a government-supported, governmentdeveloped, free channel for every citizen to – or free platform for every citizen, which actually allows for getting your tax report filled. You only go over it, verify, and if there are some mistakes you correct them. But for most people it takes, like, 10 to 15 minutes, and no dollars from their pocket, to fill – to do their taxes. And – which also means that they can get their returns and deductions and everything much faster too. And parking. In Estonian capital, 85 percent of parking revenue comes from – through the mobile service providers. People pay for their parking using their mobile phones, cell phones. Then out of our 1.4 million people, about 85 percent of them have the government-issued, industry-supported, microchip-based national ID card, which also the legal aliens can get, and which is sort of the backbone for most of these authentication services. Then, Estonia is the only country which has held – and, by now, already twice – national elections using Internet voting – again, using this chip card. This time we had general elections just a month ago. Around 25 percent of people who voted did it using Internet. Out of them, around 2 percent actually used a mobile-phone-based voting option that was used – in use for the very first time and is (seen ?) grow in the future. Then we have national health – electronic health records. And I know all the – yeah, we – I know all the problems we’re – that have been here in the States. But this thing really works in Estonia. So these things are all optional.

International Engagement on Cyber

These are not things that people really have to do, but this is an option. And people have really embraced it. Now, as we know, we all know this 80 to 85 percent figure that – the infrastructure that belongs to the – belongs to the private sector rather than the government. And this brings us to reality. The whole-of-government approach is a must when it comes to cybersecurity. But the whole-of-nation approach is a must too, or this is something that we – it’s not an option; this is a must. The bad guys go where the money is. The money is where the private sector is. And when the government and private sector can find out what the bad guys are up to, the society’s better off. And we certainly need, also, the international efforts, not just live in the bubble or have a naïve thinking of the bubble. Now, 2007 in Estonia, many people asked whether this was the time when we thought – (inaudible). 2007 definitely was a wake-up call. But many other countries, I would say, pressed snooze, and they did it also after things in Georgia. We certainly didn’t. But we had PPP present already before 2007. In fact, in 1998, I believe, was the year when the major ISPs, banks, came together and had the very clear understanding that the – their sort of cyber risk managers had the understanding that we have to collaborate, we have to share data, we have to stand as one bloc against the – against the bad guys. Because one day – one day they’re going to attack us. The next day they’re going to attack the other guys. But 2007 definitely deepened the understanding for cooperation. Now, the – we came up with the cybersecurity strategy, which had the clear aims to deepen the public-pri-

vate partnerships and also the means for that. Basically, what we wanted to do – we wanted to avoid creating very hierarchical organizations, but rather sort of design the official structures to resemble the ones that were there before informally. Now, the main PPP areas focus on the protection of the critical information infrastructure, of course. And the government and the private sector act in sync. We are trying to do it not as a way – as the government, just to mandate and regulate, but rather to consult and offer advice and assistance, if needed, to the private sector. Now, I won’t go into the organization’s chart, but I would claim that we have achieved the – achieved the goal whereby, actually, the private sector does have the levers and channels to the top decision-makers in the government, avoiding sort of stupid decisions being taken just because someone wants to overreact or do something like that. And at the same time, the government has the way to consult and get some insight from the private sector. And there – I know the time is up, but since many people have asked this, about the so-called Cyber Defense League: This is something that we have created to – it’s based on the organization that we have had for almost nine years by now, the voluntary defense organization. But we created a cyber part of it, which is an all-voluntary national cyber corps, both private and public-sector experts from different fields: not just IT guys but also lawyers, economists and so on. And it helps to train, educate and provide the exercising and training sort of forum for those people. And it really benefits not only the government but also the individuals. [69]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

And these are my conclusions. The primary – since the primary targets of the attacks are the private companies, the public-private partnership is something that we have to do, and the interagency cooperation is something that we have to do. The way that, in Estonia, we have had shared efforts in creating tools and content by the government and public and private sector also has helped us in this PPP world of cybersecurity. We have the same sort of goals and same aims. Trust is a – is an invaluable commodity. We cannot get it without the – in official networks work, often, better than the official structures. And small is effective, but size sometimes can be also an impediment. Melissa said that – think big, start small, scale fast. We tried to think big. We start small, but we remain small. We are small. (Laughter.) Anyway, thank you very much. Happy to take any questions. Thanks.

scale fast. And I always have an ask. For those of you who know, I had to – I spent a lot of time in Congress, sort of testifying and briefing Congress, during the course of my tour in the government. And you never leave the – without an ask. And so my ask to each of you, if you were king or queen for a day and you asked for just one thing to facilitate that private-public partnership, or the public-public partnership, what’s the one thing you would ask for tomorrow? I’ll start with Bill. And then I’ll open up the floor to questions.

MR. GUENTHER: Sure. I do

think, as I mentioned at the end of my comments, that having the federal government play a match funding role – I don’t – having dealt with state governments and federal funding over the years in different areas, I’m a deep believer in challenge matches. So I think that having the federal governMS. HATHAWAY: That was great. ment put up some funding for some Thank you. So I guess some of the key of the best collaborations and require a takeaways: partnership – the partnership match from industry and participation is not the what; it’s the how. And that by industry would be a critical piece. needs to be focused on the outcomes, John, just to pick up on your point whether it’s reducing spam, detecting just add one other: that we took a look at fraud, incubating the new technologies this issue of legal policy restrictions with and creating the innovation agenda. It Jack Goldsmith and Foley Hoag, and we can’t be done by just one of us; it has to actually didn’t find that many. And to be done by all of us. And it’s the private- some extent, you know, it may be a red private partnership; it’s a private-public herring: that actually, it’s the disincentive partnership; and it’s a public-public in business practices. So that’s the other partnership. And whether that’s a pub- piece, I think, just to take two instead of lic-public state-to-national-govern- just one and be greedy: that somehow ment or it’s a public-public partnership we have to create the incentives for busiof government to government – and it ness to share information and to work has to be spanning the geographies and together in these kinds of collaborations. the globe. And – because it really will take Again, I’m not sure the polall of us to begin to solve that problem. icy/legal is the big hurdle. So as we think big, we start small and [70] Georgetown Journal of International Affairs

International Engagement on Cyber

MR. PRIKK: I would definite- ate incentives for innovation and investly like to invest as much as possible of money, human capital and so on, into any measures, any events, any tools that can be created to support trustbuilding and relationship-building. As I said, as we see in Estonia, personal relationships matter in critical moments much more than any good technical tools or official structures. And this may be counterintuitive, but sometimes I even feel that people should use less Facebooks and Twitters and sort of try to get together personally much more than they – (applause) – they tend to these days. Because when something really bad happens, those face-to-face relationships, they matter.

MS. SCHNECK: Let me hit send,

ment in cybersecurity, which includes resolution of the legal issues. We run into that every day. I’m coming at it from a different perspective, obviously, but we deal with that on a continuing – we have more lawyers, I think, than we have cybersecurity engineers at AT&T. That’s another story. (Laughter.) But really, you know, again, enabling the investment. We want to be the leaders. We got to regain leadership in the world as part of moving the world to a more secure environment. It’s the only way it’s going to happen. And we have to create the environment in the United States where people want to invest, want to invent, want to incentive. That’s what we need.

right? So when you have the big picture there, let us get it out in a way that’s safe for our companies, in a way that gets into law enforcement, and come back to a point that General Croom made earlier today, into – and I’m not putting responsibility on the ISPs, but into the network routers so that bad things can be stopped in real time. Let us get it out there.

MS. HATHAWAY: Thank you. I’m

structive discussion among government and the private sector about some clear, specific objectives – not sort of broad long-term strategic issues, but what are the gets that we can do now? What – I would like to take a more programmatic approach, rather than long-range approach, to some of these issues, and identify particular issues that we can target and work on together.

cyber area, clearly there’s a plethora of options that are all highly debated and bandied about. However, some are more effective than others, some are better than others in having a real impact. And I’d like to ask the panel their opinion on three particular – Cyber Defense League. Other countries have it. Maybe it’s a cultural thing in the United States, but it’s something we do not have that I see our country could benefit greatly from. And how would we approach that and embrace

going to open to questions on the floor.

Q: Yes, hello. Out of this panel, I actually

got several salient points. In the cyber area –

MS. HATHAWAY: Excuse me. Could you – could you tell us who you are?

Q: Yeah. My name’s Mike Zeberling. MR. WERNER: I think a con- I’m with a defense contractor. In the

MR. NAGENGAST: Oh, OK. I

would simply say, you know, I would cre-

[71]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

that so that could take root in America? The second thing is with the Microsoft takedowns. There’s probably been about two takedowns a year for the past three years, and that seems to have been very effective. And what can we do to ramp up the pace and rate of those takedowns now that that model’s been successful? And the third of which is, we have a tremendous amount of cybersecurity talent already in the industry. However, they do not – you know, EV, community, security communities and Defense. But they don’t have the clear authority to do various things. So under the concept of cyberstrike teams, is there a model that could be used to empower or give some type of get-out-of-jailfree card to enable vetted researchers or security people to actually assist the government in resolving some of these threats in a more timely manner so we don’t have to wait till 2018?

begin to stimulate action themselves, come to us, and, you know, we can discuss the methodology in which, you know, we have approached these issues. They’re resource-intensive, obviously. The reason they get done one a year is because it takes them time to build it up, to develop the case to do the research and so forth. I think the best way to stimulate that is to get other people who are prepared to take the proof of concept that we’ve offered and act on it themselves.

MS. HATHAWAY: I’m going to

answer the – I think the bundle of the other two questions. In the Cyberspace Policy Review, we identified that we needed to have an overall national education and training program writ large. And that starts with awareness first. There are 133 universities that are part of the information assurance centers of excellence, and, of them, another MS. HATHAWAY: Wow. 33 that are getting National Science That was a lot of questions. So I’m Foundation grants. And there’s a lot of going to try to – Eric, if you could education programs that are ramping – how can you increase the rate of up across and around the United States, takedowns, in a couple of words? and I think that you’ll see more universities become those centers of excelMR. WERNER: So there’s a – as lence as that program gets revamped you can imagine, there’s a tremendous over the course of this next year. amount of work that goes into these And then there’s some real talent efforts. And right now it’s largely our development that’s happening with the digital-crimes unit, working with our overall national cyber challenge, which malware protection center and trust- is the university competitions, where worthy computing, that have been there’s actually problems where the unispearheading these efforts. What would versities have to go after and solve the help to ramp up the pace is develop- problems. And then that’s been extending a framework where others in the ed down to the high schools. And this ecosystem who have similar equities week the Air Force Association is actuat stake, who have legitimate claims – ally going to be recognizing 15 of the what we call standing in the courts, high schools that won the competitions, to be able to pursue these – would out of 700 schools around the country. [72] Georgetown Journal of International Affairs

International Engagement on Cyber

The thing that I found most notable was there was not one high school in the Northern Virginia or Maryland area that won. And that was, I thought – interesting fact. And so I’m going to be digging into that further. (Laughter.) And then I think that that needs to be brought into, actually, the elementary schools. Because as my back-to-school homework sheet for mom was – I had the opportunity to get to explain to the principal why a thumb drive wasn’t going to be going back and forth between school and home. (Laughter.) And I’m picking it up with the school board now. And so as we start to create these opportunities for education around America, I think that you’ll see an emergence of a broader cyber-defense league and adoption of the technology. Thank you for your questions.

Mr. Nagengast and Mr. Prikk and extend your reign for another day or two, if I could, and try and draw you out a little bit more. And Mr. Prikk, I’d also like to ask you another Estonia-specific question. So on the king-for-a-day thing, OK, great, it would be better if we had developed more incentives for private industry to invest in cybersecurity. I don’t think anybody would disagree with that. But how about some ideas? Do you have any thoughts about what would those incentives be? Are they tax breaks? Are they – how do you get them to channel in the right kinds of security? Do you have any thoughts? And specifically, Mr. Prikk, what have you done in Estonia along – I know it’s a very small country and the problem is somewhat different, but there might be some things to learn there. What have you done in Estonia to conQ: One quick follow-up, really quick- vince businesses to do this, particuly. Is there a particular reason why we larly the ones that are more reluctant? haven’t evolved to a point where we’re The ones that think it’s a great idea actually doing – using botnets to self- are not the problems. It’s the ones – delete themselves? I know it’s been talk- it’s the laggards that may hold a piece ed about in the past, but I think we’re at of critical – of critical infrastructure. that level where we can effectively analyze And then, Mr. Prikk, if I may ask these threats to ensure that we don’t you a question about the civil cyberkill somebody in their hospital bed. So corps, do you do any kind of vetting of can you address it real quick? Thanks. the people who are involved in that? Do you know who they are, what their MS. HATHAWAY: I would backgrounds are? And have you had like to recommend that that would any problem with Russian infiltration? be taken offline and at the break or over the cocktail hour so we can MS. HATHAWAY: We only have get to the next two people in line. a couple minutes left, so if we can –

Q: Thank you, Ms. Hathaway. I’m David MR. NAGENGAST: That’ll kill it. Smith. I’mdirector of theGeorgianSecurity Analysis Center in Tbilisi, Georgia. I’d like to – Melissa Hathaway made you king for a day. I’d like to go back to

But let me quickly answer. Start – I would start with the federal government, as the leader in cybersecurity, acquiring effective cybersecurity solutions. I [73]

PANEL 3: PUBLIC-PRIVATE COLLABORATION MODELS GLOBALLY

would start with that, just as – you know, the market responds to the market demand. And the federal government is the largest single buyer of IT communications services in the United States. So if I was – if I was king for a day, I would start with saying, hey, the federal government is only going to buy secure products and services. And of course we need some risk metrics to go along with that, to say, you know, what are the effective ones?

the sort of overall, as we say, cyberculture. Estonians – the private citizens have really embraced the idea of doing more in cyber. People are constantly asking, why can’t we do this electronically? Why can’t we use our ID card? So this – people also have less sensitivity to – regarding their loss of privacy and so on. So – which also triggers companies’ willingness – or to – (inaudible). So we really haven’t had problems with convincing companies to come forward on that.

MR. PRIKK: All right. Firstly, the MS. HATHAWAY: We are out of answer to your last question, yeah, we do have some vetting. There are different layers to that, so we can discuss that later. And regarding the reluctance of the companies or their willingness to cooperate on that, I think that there’s actually – it has to do something with

[74] Georgetown Journal of International Affairs

time. And I have had the honor to work with many of these people for – and colleagues for the last more than a decade. And it’s going to take all of us to drive the private-public partnership, to get to the innovations and solving the problems. So thank you very much. If you please.

Panel 4: National and Global Strategies for Managing Cyberspace and Security FRANKLIN KRAMER: Thanks very much. Everyone who’s here stick-

ing out the entire day certainly deserves a drink. We will try not to stand between you and that drink for too long. I want to just make a few points and then get to the panel, because the panel has a whole lot to say. You saw what the title is, you know, national and global strategies. And I’d like to leave you with a couple of questions to think about as you hear each of the panelists. The first is, when you think national and global, are we just talking nation-state or are we talking something beyond that? Non-state actors, entities like ICANN, businesses? Whose strategies are we talking about? Second point is, is a good national strategy the same as a good global strategy? And that probably depends on whether a country or an entity is thinking about something you might call a global public good, as opposed to an enterprise or an integrated good just for the entity itself – the difference between, if you will, growing the pie and getting the biggest share of the pie. Third question is, strategies for what? What are we actually trying to talk about? Are we talking about use? Are we talking about protection? Free speech? Economic growth? Stability? And do all the arrows point in all the same direction? And if they don’t, which is almost always the case with any set of issues, how do you prioritize and value the different parts? Fourth point is, can you really have just one strategy or do you have to break it down into sub-elements? Is it the same thing, for example, to think about defense and other security issues as it is to think about strategies for business? Are the issues of national security the same as the issues of crime? We heard a little bit – little dispute here – I don’t know if John Nagengast is still here, but Mike Hayden, John, whether or not there was a market failure. My own view about that is, of course

[ 7 5]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

there’s market failure. There’s always market failure. That’s not a surprise. All that really means is what you learn in economics 101, something about economic diseconomies. You don’t really have an enterprise having the same issues as a nation as a whole. That is not a surprise. It is a market failure. Maybe John and I are just doing definition. Doesn’t mean the companies aren’t doing well; just means that their job is not to solve the larger problem for the country. So then the question becomes, OK, if that’s right, how do we solve it? And a lot of discussion already about public-private, et cetera, et cetera. What hasn’t happened here, and it regularly doesn’t happen – I spoke at Black Hat, and some of you heard Jeff at lunch, who founded Black Hat, whatever. Black Hat, pretty much technical discussion. I was the only policy guy, and gave a keynote. Here it’s pretty much a policy discussion, no technical parts. It’s a mismatch. We need – I used the words and – before, we need a wonk-geek interface. I’m a wonk. Jeff’s a geek. We need to have people talk about that, because we need to figure out what are the policy ramifications of some of the geek sides of issues. So what are the – you know, for example, if you think using safe language is a good idea and it has some value, et cetera, et cetera, how do you put that into a policy framework? Or should you? Or we heard a number of discussions about botnets, what Microsoft can do, other people about what ISPs can do. Well, there’s a technical part as to how you do that, and then there’s a policy part about who should do it, who pays, what are the liability issues, what are the ramifications. How do you put those together?

[76] Georgetown Journal of International Affairs

We heard a little bit about resilience – way too little, as far as I’m concerned. But if you create systems that have, so to speak, a gold standard and the like, where do you have to put it? Do you – and who pays? Do you need to put them with – for example, into the industrial control systems of your critical infrastructure? And is that a problem that a company CEO should care about? I had a CEO say to me, well, I understand why I should protect myself against criminals. But why should I protect myself against a nation-state attack in China? Isn’t that what the government? Well, that whole public-private partnership and what the strategy ought to be I think are the questions. So with that, let me turn it over to the panel. We got a great panel. Michele, if you want to start it off; Mary Beth; Gao; Alex; and then Jim, of course, will finish, because Jim can do anything.

MICHELE MARKOFF: That was

a great introduction, but I’m not going to talk about any of those things, so... I hope you’ve all awakened and had your cookie and your water. And I’m going to talk from the vantage point as a diplomatic practitioner. And I’m on the front lines of the international cyberengagement piece. And from that viewpoint, it’s very clear, if the last two weeks have not made that clear, that cyberspace has created a powerful new dimension in an already restless world where an – the international environment is increasingly complex, dynamic and, for many states, highly destabilizing. So traditionally reserved and unresponsive governments are literally shellshocked at a technology that enables powerful and rapidly changing coali-

International Engagement on Cyber

tions of citizens to challenge them, even as they themselves struggle to harness information technology for traditional statecraft. And recent events will only serve to heighten that unease. And it goes without saying, much of cyberspace use is productive and promising, where instant communications melt barriers between cultures and give voice to the previously unheard, where the web opens untapped markets and has become an economic driver of dramatic proportions. But much use is increasingly threatening. From where I sit and what I do, most notably in the last few years is the rise of a significant nation-state threat and the first efforts to project traditional forms of state-on-state activities, including conflict, into cyberspace. And certainly General Scowcroft talked somewhat about his views on this, and so did General Hayden and others. And while some have argued, and may continue to argue, that cyberspace is a borderless global commons and that sovereignty is a quaint, eighteenth-century notion, I would venture that you should think again: that cyberspace begins and ends with a server sitting on someone’s sovereign territory, and that it will be states that will have to act in this arena. After Estonia in 2007 and Georgia in 2008, the fact that some number of states have military or other network operations programs is hardly a revelation. Hardly a day goes by now that states aren’t reportedly either engaged in searching unprotected information for advantage, stealing intellectual property for commercial or intelligence purposes, monitoring enemies or pre-positioning tools for an as-yet-unplanned battle, or even subverting the IT supply chain.

So it’s hardly a stretch to imagine that state actors with significant capabilities could turn cyberspace of the near future into a free-fire zone where exfiltration and disruption are the rule, public confidence is diminished and governments are increasingly concerned that their national security is threatened. Even the command and control over forces may be in jeopardy, with potential consequences that cannot be easily ascertained in advance. Moreover, the unique attributes of information technology make the response strategies anything but straightforward. And I’ll repeat the basic mantra of cyberspace that you’ve heard in one form or another today: our inability to attribute identity to an attacker in real time or with high confidence renders most deterrent strategies futile, since most decision-makers will require both high-confidence attribution of the identity of an attacker as well as the sponsor in order to respond decisively or even to go so far as to accuse another state. The potential to use skilled criminals as witting or unwitting proxies for cyberdisruption, which I believe will be an increasing trend, further complicates attribution, offering a state actor total plausible deniability. So ultimately, two options emerge for decision-makers, both of which are undesirable: Decision-making paralysis or simply lashing out blindly. So while the lack of attribution and the multiplicity of threat actors make Cold War forms of deterrence inapplicable, some modest forms of deterrence may be possible through a variety of overlapping, mutually reinforcing strategies, which include better defenses, nuanced declaratory policies, and what I intend [77]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

to discuss today, establishing norms of acceptable state behavior in cyberspace. So in designing an effective strategy for this threat environment, our challenge is to figure out how to foster an international system where likeminded states coalesce around generally agreed norms of acceptable behavior in cyberspace, finding economic and other social benefit in a predictable, stable environment, with a – and with a stake in opposing those who would destabilize it. So let me be clear first what I do not mean by this. I am not talking about an international treaty instrument, but rather envision, as a general model, the Proliferation Security Initiative: a voluntary regime whereby like-minded states so deplore the destabilizing threat of WMD proliferation that they act together to prevent it. In essence, what we must envision is a system or model of cyberspace stability, and provide the incentives for the international community to engage in the conduct needed to maintain it. Disruptors would be penalized through collective response and hopefully deterred to some degree by that prospect. And I would just, as an aside, say that this is not – you can analogize to the Cold War period. After the invention of nuclear weapons, deterrence did not rise up over a day. What we did was inculcate the Russians with our views of what would, in fact, create a retaliatory response. We need to do something similar now. This will not be an easy task. Over the last few years, the international community has become increasingly polarized in its approaches to cybersecurity writ large. Over the last two years, Russia, aided by China, has strenuously wooed the non-aligned – which are the G-77 [78] Georgetown Journal of International Affairs

states, which are not 77 but now 132 – in a collaborative approach, actively promoting a universal treaty instrument with a triad of elements. They would propose an arms-control ban on what they call information weapons to denote the fact that content such as mass propaganda would be covered. They would impose sovereign controls over politically destabilizing speech, or what they call information terrorism, which would affect the Uyghurs, the Chechens and others. And they suggest a cybercrime instrument sometimes they refer to as “CEO Lite,” which would be less onerous than the Budapest convention. Taking this polarization into account, the U.S. in 2010 began to advance a vision of a normative framework for state-on-state behavior in cyberspace in a United Nations First Committee–sponsored group of governmental experts. And we sought to define common ground that might address fundamental concerns about stateon-state behavior in cyberspace. And at the first meeting of this group of 14 nations in Geneva, which included Russia, China, India, Brazil, U.K., France, Germany and other – Israel, the Russian chair asked questions that many countries are asking: What are the rules of engagement in cyberspace? How is the U.S. likely to behave? Who should be held liable if an individual in our territory does damage to your territory? Are industrial information infrastructures legitimate targets? So the U.S. position was designed to address these concerns, as well as others, by establishing a foundation for what we hope will become a consensus view among all like-minded states on the basic norms of behavior that pertain to cyberspace,

International Engagement on Cyber

in the context of conflict or hostilities. So the U.S. contribution to the U.N. group divided norms of behavior into two categories: those domestic steps that we say national governments should take systematically to defend their national information infrastructures – what Enekin Tikk would have called the “duty of care obligation” – and those norms of behavior that apply to state-on-state activity. The former we had stressed for years, but we had never articulated those norms that we, the United States, believe apply in the context of hostilities. So in the GGE, the U.S. put itself formally on the record as stating that, notwithstanding the unique attributes of information technology, existing principles of international law serve as the appropriate framework within which to identify and analyze the rules and norms of behavior that should govern the use of cyberspace in connection with hostilities. In particular, jus ad bellum and jus in bello. Thus, the United States has stated internationally that the same laws that apply to kinetic warfare apply to cyberspace. Importantly, we also noted the limits of our current understanding of how such principles may apply, since it may be difficult to reach a definitive legal conclusion whether a disruptive activity in cyberspace constitutes an armed attack, triggering the right to self-defense, and that much additional work needs to be done in this area. Nevertheless, we stated that, under some circumstances, a disruptive activity in cyberspace could constitute an armed attack. On self-defense, we noted that the right applies whether the attacker is a state or non-state actor, and that states

are required to take all necessary measures to preclude their territory from being used for cyberattack purposes. With respect to jus in bello, as we interpret these principles, they would prohibit attacks on purely civilian infrastructure, the disruption or destruction of which would provide no meaningful military advantage. And in addition, the potential for collateral damage would have to be assessed before attacking a military target, just as it is when using kinetic weapons. We also addressed, newly, the concept of the use of proxies – that is, the witting or unwitting non-state actors that act on behalf of state or other non-state actors and afford them plausible deniability as a subject that creates new challenges for states that must be addressed. And then lastly, the U.S. suggested that over time steps need to be taken to address issues that could be problematic during conflict: the ambiguity of rules of engagement; the possibility of misperception, leading to escalation; and the general lack of predictability of state behavior through some thought-out confidence and risk-reduction measures. Quite unexpectedly, 13 of the 14 states present, including Russia, were supportive, to one degree or another, of the U.S. vision of international cyberstability based on generally agreed norms of state behavior. Only for China at that time was it a bridge too far. Ultimately, however, we emerged from the GGE with a short, modest, but valuable consensus report that points in a fruitful direction for further collaboration. Key among the recommendations was that there should be further dialogue to discuss norms pertaining to state use of information technology in order to reduce collective risk and pro[ 7 9]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

tect critical national and international infrastructures and that further steps include consideration of confidencebuilding, stability and risk-reduction measures to address the implications of state use of information technology, to include national exchanges – to include exchanges of national views on its use in the context of conflict. This has had far-reaching implications so far. U.K. Foreign Minister William Hague’s speech at the Munich conference last month proposing a conference on norms; the French, the Germans and others; norms has now become a subject for discussion, as it should be. We have no monopoly on the best ideas in this area, and the U.S. will continue to pursue eliciting views from states in a variety of different multilateral international forums. There will be another GGE in 2012, at which we hope to unveil a further development of the U.S. position. We’ve had a very productive bilateral in the last three weeks in Moscow with the Russians where we have actually agreed on certain confidencebuilding measures, including crisis cooperation and communication measures to CERT activities and other things which had heretofore not occurred. So we are hopeful that we are being able to shape the international environment in a way that we, the U.S., can lead, and think is a useful track forward. And thank you. I will stop there.

efforts in organizing this. I think over the course of the day a lot of the issues and the level of complexity has really been brought out to this – to these challenges that we face in cyberspace. And a great deal of them, or all of them, really, are what we’ve been thinking a great deal about at DOD, our concerns, everything from deterrence and declaratory policy to supply-chain risk management to how we can better work with our privatesector colleagues so that we can provide for better cyberdefense writ large. So today I’m going to keep my remarks fairly brief so that we can get into the question-and-answer period. And I just kind of want to give you a broad brush from a Department of Defense perspective of how we look at the international engagement piece. For DOD, as this conference really has demonstrated, you know, in cyberspace, a risk to one is a risk to all. No one nation has a hundred percent complete situational awareness at any one time of what’s happening in cyberspace. So if we as a department are to be successful in defending and providing enhanced security in cyberspace, we must build international partnerships both bilaterally and multilaterally. And it has to be a U.S. government effort and a whole-ofgovernment approach if we’re going to be successful. So we’re very closely working with the Department of State as well as DHS as well as the national security staff. MARY BETH MORGAN: Good Given the importance of cyberspace evening. Thanks for sticking with us. to the department’s – to our ability My name’s Mary Beth Morgan. I’m to conduct effective high-tempo milwith the Department of Defense OSD itary operations in the 21st century, policy cyber office. And it’s a plea- Secretary Gates tasked our office with sure to be here today. I’d like to thank developing a comprehensive strategy – Georgetown and Catherine for her great cyberstrategy for the department. I’m

[80] Georgetown Journal of International Affairs

International Engagement on Cyber

pleased to say we’re in the final throes of coordination on that within the department, and it is up to the secretary’s office for his review and hopefully approval in coming days. And this is a critical aspect of how the department will kind of organize, resource, train and equip itself going forward. Service members assigned around the world, whether it’s at the Pentagon, from Stuttgart to Afghanistan to Japan, rely on resilient, reliable information and communication networks with assured access to cyberspace. The department runs some 15,000 networks with 7 million devices, serving some 2 million users around the world. When I first came into my position, I was told that DOD networks are probed roughly 250,000 times an hour. And when I heard that, I thought, I’m sorry, you misspoke, or I misunderstood. No, that number is correct. So as you can see, our challenge from a departmental perspective is great. And it’s a great microcosm of what we’re facing writ large as a nation and as a world. So as we’ve worked to develop our strategy, a key foundational element of that strategy is engaging international partners of all kinds: nationstates, private sector, and, most importantly, in the multi-stakeholder forums that help govern and develop the architecture for the Internet. As I stated earlier, cyberrisks and challenges demand new international partnerships to mitigate them. Risk in cyberspace is not accepted; rather, it can be transferred in the blink of an eye. And we are only as secure as the weakest link. We believe that engagement with our friends and allies promotes shared awareness, which leads to

enhanced early warning and ultimately and over time can enhance and enable collective self-defense in cyberspace. Bilateral and multilateral exchanges inform our common understanding to address these challenges, effectively priming discussions on norms of behavior in cyberspace, which Michele was referring to. We must work with our partners to develop these international norms, and we need to look for ways to develop confidence-building measures that serve to minimize the miscommunication that can lead to escalatory behavior. In an interconnected world, situational awareness cannot stop at the boundaries of our networks. Only by working together can we increase our knowledge and ability to anticipate threats, vulnerabilities and intrusions. The speed that defines cyberspace will not allow us to face the new challenges as they arise. We must put mechanisms in place today so that we can respond to those threats in real time tomorrow. One example of our efforts is at NATO. Our close collaboration with fellow member states will increase cybersecurity awareness across the alliance, harden the NATO networks and thereby provide a stronger IT infrastructure for NATO activities and operations. Beyond these traditional military partnerships, we’re also looking to embrace new approaches to how we develop these – our international engagement. What this means in practice is that when we engage friends and allies on cyberdefense and cybersecurity, we are doing so with our colleagues from across the government. Cyberrisks imposed on sectors beyond defense – such as transportation, finance, critical infrastructure – and the dynamic nature of cybersecurity [ 81 ]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

requires us to have close cooperation with our interagency partners. A wholeof-government approach, we firmly believe, provides foreign partners with a more comprehensive understanding of each of our department’s efforts and underscores how those efforts are complimentary and serves to reinforce our overall U.S. cybersecurity goals. For instance, we coordinate very closely with the Department of Homeland Security and other agencies when we work with foreign partners to explain the difference. It’s important to note that, while DOD is responsible for the .mil domain, DHS is responsible for the .com and the .gov. But in the event of a large cyberincident, DHS may request assistance from the Department of Defense. And given the department’s role in providing defense support to civilian authorities, we must build these close relationships with our interagency partners in order to be prepared to assist if and when called upon. So to help prepare and plan for such contingencies, the DOD and DHS signed a memorandum of agreement last fall to exchange experts that will help streamline in – real-time communications and coordination between the two agencies. We’re still at an early and a nascent stage in doing this, but this is a very important step forward if we’re really to be prepared moving forward. It also demonstrates the U.S. government’s robust activities to our international partners, especially as DOD works to promote shared awareness, early warning, and this concept of collective cyber self-defense. Turning to the topic that the third panel covered a little bit, in the globalized economy – and, in particular, the

[82] Georgetown Journal of International Affairs

globalized information and telecommunications marketplace – it provides another huge challenge for the department. Engaging also means engaging with the private sector, and we have to factor that into our international relationships. Not only is our cyberinfrastructure owned predominantly by the private sector, but a globalized supply chain means that more and more of our key capabilities and technologies that we as a department and a nation rely upon are coming from overseas. For instance, the proliferation of counterfeit components will require multilateral efforts to reduce risk and assure quality. Continued and enhanced engagement in the multi-stakeholder standards bodies is also important to the future of cyberspace and ensuring interoperability. There are large questions surrounding how we as a government and a department can work with the private sector to share information on a real-time basis. And in John’s presentation he highlighted that, of the problems of the legal aspects of government and industry sharing that information. So that’s a challenge that we’re trying to work through with our colleagues from DHS as well as the Department of Justice. So in sum, the challenges in cyberspace that we’re facing are cross-cutting and dynamic. And we have to be agile and we have to work across and through the traditional stovepipes, whether in DOD, across the U.S. government, as well as with the international community. And we have to find new ways to develop creative solutions. Thank you, and look forward to your questions.

GAO FEI: Good evening, everyone. Thanks, Georgetown and Atlan-

International Engagement on Cyber

tic Council, to have me today. However, I am not expert on cybersecurity, so I only can do a general view on China’s policy on cybersecurity. The first: In past 10 years, China’s Internet growth was really fast. Its growth, about 10 times in the number – in the terms of number of the Internet user. The total number is about 457 million people use Internet now. And 90 percent of people, they are broadband Internet user. And the Internet penetration rate is also getting higher, especially in the east coast and the west Uyghur autonomy. Chinese life right now, more and more depends on Internet. Different – (inaudible) – already established their government website so the people can easily access this website to have some government service. And also, in past few years, online business increased very fast. And more than 40 percent of middle-sized and small enterprises right now have reached the Internet. And partly because China’s Internet developed very fast, there are some – also leads to some – (inaudible) – and problems. The more Internet user, the more troubles in Internet. And it’s also – faster growth means it’s very hard for the Chinese cyberpolicy to catch up with such fast growth of Internet user. And the switch of broadband also means increased range of things the people can do online, both something good, both something bad. And Chinese enterprises right now, really totally new. And the garment enterprises, they like the experience to cooperate with other to deal with the new challenge. And a lot of people have talked about, if you track the hack attack, you

can find a lot of hacked attack come from China. But actually, China also biggest victim of hack attack. In 2007, on December, there is, according to the statistics, the bot-infected things in China is twice more than United States. It’s about 1.6 million computer with software, the bot infected. And sometimes the hack attack from China actually – the hack may not be in China. They only use some slave computer to attack other country or other computers. And according to China’s ministry of public security’s statistics, 80 percent of computers in China have suffered botnet attacks. And more than 95 percent of Internet servers experienced different kinds of hack attacks. And on September 2009, more than 3,500 suffered malware attack. And more than 200 of them are government websites. And in China, the cybersecurity is facing a lot of challenges, both domestic challenges and external challenges. Domestic challenges partly because the most – more than – it’s about 60 percent of Internet users are under 30 years old. So this age, people, they like to challenge the authoritarian, different kind. So some people, it’s very easy to find some hack program to learn. And also, for the young generation, I still remember my generation, when we came to the university or the school, that they arrange a lot of classes for us to learn computer. But now, the young generation – without learning anything, but they can use computer, even – easily become a hack. And external challenges are also really serious. In most botnet cases in China, the controller was found to be located abroad. And moreover, more than 80 percent of the cyberattacks targeting websites of China government agencies [ 83]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

came from overseas. And today China is facing some dilemma on cybersecurity issues. The first is – it’s a balance between the economic and the technology innovation in cybersecurity. Because the technology elites, they dislike more and more restriction against the free flowing of Internet. So how to keep the balance between the security issue and the economic development and the technology innovation issue, that’s pretty difficult. The second is the political development on the cybersecurity. As Chinese, we cherish the Internet: it provides opportunity for us to develop our own civil society and to provide opportunity for China to develop our democratic system. But the question is, the cybersecurity (getting ?) serious if the government involves, this precise, as well not good for the civil society development. It’s not good for future democratic construction. The third is the international communication and domestic stability. In – actually, in China, we know we’re facing some international challenges. But also, the biggest challenge comes from our domestic society. Because China is still a developing country, so many contradictions in our own country. So sometimes, especially in some – China also suffered some terrorist issue. Some group in China is a terrorist group, but in United States maybe not. So how to balance the international communication and the domesticsecurity issue is also another challenge. For this reason, in China – China’s policy towards cybersecurity, there are a lot of weak points, I think, although China already has more than one hundred laws, regulations, on the different – on the national and local depart[84] Georgetown Journal of International Affairs

ments level. But today’s China still hasn’t systematic cybersecurity strategy. Today’s China, it’s very clear we also look hard at cybersecurity, because the Internet plays a more and more important role in China’s economic development and political development. So how to make sure the safety of Internet – of Internet is also very important; I think is already in the agenda of China government. But the – but the question is, different government department only focus on different issues. The – there is no coordination among them. I think in the future, policy construction is very important – (inaudible) – trying to coordinate different departments of the government, coordinate their policy, and also develop laws and regulations – of course, also including technical standards, and continuously intensify their efforts on network security to deal with network security problems. And for the last, about the China’s policy towards international cooperation. China’s policy is very clear. In China – China’s strategy is development. We know, as the biggest developing country, our country has a lot of troubles, but how to settle these troubles, both politically and economically? The only way is to develop our country – not only develop our economy, but also develop our political system, and also social system. And in cybersecurity respect, I think it’s very clear: China and other countries, especially United States, both two countries, we experienced military conflict and political dispute, economic dispute for pretty long time. And it’s very clear, in the future, for both of our two countries, facing the same challenge. And we have the same common interests in the cyber-

International Engagement on Cyber

security – in the cybersecurity respect. So I think for China’s policy, it’s clear, to cooperation, to make the safety of cybersecurity our priority. China and the United States, we already experienced some kind of military race. We cannot spread that to the cyberspace. So I think that there is no other choice, only cooperation. Thank you.

ALEXANDER

KLIMBURG:

So good afternoon. I don’t really care what anyone says; being the penultimate speaker on such a long session is really quite a challenge. So I’m going to have to speak very, very quickly to cover a lot of ground. If I go too quickly for some people, please ask me afterwards or maybe we can catch up on questions. First of all, I can’t skip what I think is an essential introduction. Everything in cybersecurity, in cyberspace is marked by ambiguity. We don’t even have a common way of spelling cyberwar, let alone a definition. If this doesn’t tell somebody something, then nothing will. We have no common actors. Between non-state and state, there’s a world, a galaxy of different actors that can sometimes be both things at the same time. We have no common definitions in terms of whole of nation, which we’ve been talking about all day. Even whole of government sometimes doesn’t even mean the same thing. Information warfare? Ask three specialists on cybersecurity about information warfare and you’ll get four opinions. Cyberpower, which is – which is actually the – one of the things I’m talking about today, has been actually defined a bit better, but that’s also not completely clear. The only thing I’d like to say is that cyberpower is not information warfare, in my opinion. And just to remove

one personal ambiguity, I am speaking today as a member of an Austrian think tank and not as an advisor to government, so everything I say is, of course, my personal opinion and not the opinion of the Austrian government. I also want to put – point one other thing out while I’m at it, is that sensibilities are not, also, always the same. So while my research might appear slightly offensive to some parties, no offense is, of course, meant. This is just what my research has led me to. Cyberpower was defined recently by the National Defense University, so we actually got quite a bit further in the last two years. Just to be very brief, cyberpower has two definitions, and according to the definition that Frank did, first of all is a warfighting domain, which he talked about very often today, but also, it’s also something that works across the instruments of power. The instruments of power can be diplomatic, informational, military, economic. And for me that’s a really interesting question. How does it work across these different instruments of power? Because that’s not something we’ve talked about very much at all today. I think one of the things we have talked about, however, are things like whole of government. Now, whole of government is something that comes from a public-policy point of view. So this is not international-relations theory. This is public-policy theory. And this has been around for about 15 years. Wholeof-government approach, for instance, has given birth to interesting concepts in stabilization operations or conflictprevention operations or other good stuff that’s been around in the security frameworks for about 10, 15 years.

[ 85]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

For instance, there’s something called 3D approach, defense, diplomacy, development, for those people who have been to Afghanistan. The whole-of-system approach has also been defined. That is, for instance, the joint horizontal effort of national and international actors working in conjunction across international borders. A comprehensive approach in NATO, for instance, is such a – such an example; but also the 3C approach, which is very popular in the internationalaid community. That means coherent, coordinated, complementary, yeah? And finally, we have the whole-ofnation approach, which has been mentioned a couple of times today, but surprisingly has never been defined. It’s not – it hasn’t been defined anywhere. Australia has one definition as part of their resilience strategy, and Singapore has a very different definition. And trust me, they have nothing in common with each other. What happens when you take this type of public-policy theory and you try to superimpose it on, for instance – by the way, I call that boots, suits, sandals and spooks. But that’s just my own personal definition. What happens when you take these types of approaches or theories and you apply them to cyberpower? So I believe there – we have three dimensions to cyberpower. The first is integrated government capability. This is the whole-ofgovernment approach. This is the center of – the center of gravity here is government departments. And the effect we’re looking at achieving is coordination. Such an example could be, for instance, a – the national cyber incident response group, for instance. That’s [86] Georgetown Journal of International Affairs

one example of coordination. It has to be cross-departmental to succeed. The integrated systems capability applies only to organizations that are broad. So it’s cooperation across international borders, and the center of gravity is going to be international frameworks and legal agreements – for instance, the convention on Europe cybercrime – the cybercrime convention, for instance – but also, for instance, the FIRST group. That’s the Forum of Incident Response and Security Teams. So this is international collaboration outside of government, but also within government. Finally, there’s integrated national capability. This is the whole-ofnation approach. And the center of gravity here are non-state actors. So this is – this includes criminals, academics, religious and ideological groups, but also, of course, independent businesses, which we’ve heard a lot about today. But they’re only one bit of non-state actors, in my opinion. They also especially include, in my view, very importantly, the civil society. And the effect that we’re trying to attain here is cooperation. So if, the big question for me is, wholeof-nation approach to cyberpower depends on the cooperation of nonstate actors, how exactly do you achieve this cooperation as a government? Let’s start with China. So China, from my point of view, in – has, as part of its major topography, one particular issue. It has the fastest-growing Internet population, as we saw beforehand. It has over 400 million users, nearly 500 million users, 50 million blogs. And the netizens – so the people of the net – are probably also the biggest security con-

International Engagement on Cyber

cern to the Chinese communist party. It is the biggest issue in China security that I’m aware of. It’s not a big surprise it is also the only area where, for instance, dissent can be expressed in any particular way; it is the only way. It is also quite difficult to control. As everybody is aware of, there is – there are very comprehensive security programs in China to deal with internal communication of content. That’s why it’s often controlled, content control. But it’s not very effective in achieving all of its objectives. So what you need to do is you need to basically coerce – or co-opt, excuse me. You need to co-opt these actors into being part of your system. And there’s different ways of co-opting actors. You can have paid bloggers. There’s a national PR emergency bill that basically allows up to about 10(,000), 20,000 bloggers to be put on the payroll of the government, and in times of emergency they’re supposed to be able to – they’re supposed to follow orders from the government and effectively help the government in their psychological operations. There’s the national defense reserve forces, which is a program that’s been around for 20 years, which basically means that most students that are part of a technical university are automatically also part of some type of military organization. There are information-warfare militia units, which are not the information-operation militia units. They’re a different kettle of fish. They’ve been around for quite a while, and everybody’s heard of them before. And of course, the PLA hacker competitions that everybody’s heard about, which very often, supposedly, feed into these information-warfare militia units. Now, in my opinion, these compe-

titions and these units and all these programs are not really there to wage aggressive warfare against the west or anybody else. They’re mostly there to deal with a perceived internal security threat. So it’s actually a big make-work program, if you will, and the people who suffer happen to be abroad. Because the main thing you’re trying to accomplish, you’re trying to keep these people busy. A vignette that I won’t be able to offer right now but which you can look up yourself is a guy called Wicked Rose and a network crack program hacker group. Time magazine did a very good article about them two years ago. They can be Googled, and it will give you an insight into what really one of these information-warfare militia units looks like, what their relation with the government is, and why you probably don’t have to be really worried about them. Second of all, Russia. Russia is said to exercise network control as part of their whole-of-nation approach. The first feature I would – I would raise is that they have probably the most techie population in the world. It’s been – it’s been talked about beforehand. They have a very, very educated technical population, and it’s also, unfortunately, given rise to the most active cybercrime groups in the world. 40 percent of all cybercrime in 2007 was down to one single cybercrime group, the Russian Business Network, which doesn’t exist anymore. However, they do have a lot of copycat groups, which are called RBNEs, so little RBN groups. However, the most important level is – important question is, how does the Russian government engage with this very wide and diverse and capable group of non-state actors? In my opinion, it’s [ 87 ]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

through coercion. The ownership of the media is something that – well, basically, Jeff Carr basically mentioned beforehand as something that troubled him beforehand. Digital Sky Technologies is a very large company that’s very close to the Kremlin. They own 10 percent of Facebook, besides a whole bunch of other big Internet media companies. And you can also imagine that they sometimes exercise control over these companies. ISP networks in China – sorry. ISP networks in Russia are forced to implement Swarm II legislation – Swarm I, Swarm II legislation – which basically means that every Internet bit – every bit of traffic in Russia is copied and ends up at the FSB. It’s also very expensive to do that. So if you’re not able to actually pay for this technology, then they can get you to do a whole bunch of other things. There’s also political proxy groups, such as Nashi, but also such as the Eurasian Youth Movement, that have been – supposedly been active in attacks on Estonia, Georgia, Ukraine, a whole bunch of other countries. And there’s just the general relation of the intelligence community to cybercrime and the so-called hacker patriots. There’s a general tradition in Russia that is best expressed in a vignette that actually Jeff Carr and I dug up about two years ago, which is a – which was basically the recruitment of Anton Moskal. He was one of these patriot hackers who was – sorry, hacker patriots, who was contacted by the FSB, and they tried to get him to cooperate. He turned them down and then he basically posted a blog about his experiences. It’s quite interesting reading. Unfortunately, when Intel Fusion (sp) went down, I think we lost the translation as well. So I’m not too [88] Georgetown Journal of International Affairs

sure if you can find it online anymore. Finally, about the United States. So I always consider one of the major features of the United States to be that the vast majority of cyber – and I really mean the vast majority: 80 percent, 90 percent – of cybersecurity is nonstate, and it is never going to be state. And we’ll – and it will – has to be convinced to happen. You cannot legislate 80, 90 percent of cybersecurity. This is – this is an issue that we constantly overlook when we’re talking about the political aspects of cybersecurity. It’s mostly outside of any kind of conventional political form. You have to engage with it. And there’s different ways of engaging with it. And the first level I see in a non-state group is the critical infrastructure protection, or, in the U.S., Critical Infrastructure Key Resources Group, which includes also the defense industrial base; also contractors and other people who have a formal relationship with government that’s usually marked by security clearance. We also have a second level, which includes McAfee, (Sandia ?), Microsoft, all the other companies whose job it is to effectively deliver security on the Internet. But then you have level-three groups, which is technical civil society, which includes the Internet Engineering Task Force, the open-source developers, and all the white-hats that we’ve briefly talked about but not actually talked about in any depth today. And finally you also have a bunch of policy and groups that – like ICANN, which is effectively a policy group, but also think tanks and other lobby organizations that play an extremely important role in maintaining overall cybersecurity. None of these people really have

International Engagement on Cyber

featured in any big way in any type of program. And it makes you wonder what we’re missing out here. Because it’s quite clear that 60, 70, 80 percent, at least, of cybersecurity depends on these actors. And just as a test, how many people have heard of Kaminsky, Daniel Kaminsky? Can I see a short – OK, most people. Thank God, really. So if you don’t know how – who Kaminsky is, please Google him. There’s a very good story on Wired. There’s also a good story about how Kapela and Pilosov saved BGP that’s also on Wired, and also why Shawn Carpenter lost his job. Sean Carpenter was a guy at Sandia who basically helped reveal Titan Rain attacks to the – to the public. I’m not saying that the government didn’t know about titan rain attacks, but he definitely brought it to the media attention, and he got fired as a result. I want to just briefly also just explain what I mean, again, by integrated national capability and why the civil society can be such an important part of it. Civil society delivers one important thing, among others. That’s attribution. Everything I’ve talked about beforehand has been based upon research that was done in the public domain by volunteer groups. Estonian 2007 attacks was researched by the U.S. Cyber Consequences Unit. Georgian and Ukrainian attacks was researched by Jeff Carr and his group. The Russian Business Network has been subject to a whole bunch of studies by professionals online. GhostNet – “Shadows in the Cloud” has been done by Information Warfare Monitor. And Stuxnet has been done by the Cyber Security Forum Initiative, among other groups as well. Now, by publicly delivering plausible attribution, these guys lift the cyber-

veil and they help solve the attribution problem. This is certainly complementary, in my view, to U.S. and European policy. Now, you might argue that the level of attribution that these guys can deliver is not really – not really effective. It’s not really good enough for Cruise missiles. But it is good enough for CNN, and I believe that’s what’s mostly – what’s most important in cyberpower. So I’m going to actually conclude – well, I’m going to conclude in – about – in one minute. The – what I want to point out is that liberal democracies depend on non-state sector completely for cyberdefense. But they also depend on – depend on it for cyberpower. This is in Internet governance. This is in open-source development. This is in a whole bunch of other areas. Finally, legislation and cash can get you somewhere. It can cover basically level one, CIP, critical infrastructure, key resources. But for everybody else, voluntary cooperation is going to have to remain voluntary. Volunteerism is situational; it’s not institutional, and depends on a state – precedes legitimacy of action. And legitimacy depends on the overall inward soft power of a – of a state. And this is not nationalism, and this is not legislative fiat, but it’s reputational power. And you only have basically one choice. You only can either coerce, co-opt or convince the non-state into cooperation. Thank you for your time.

JAMES LEWIS: Well, you guys are really hardcore, and I appreciate your sticking around. And I have a 412-slide PowerPoint deck, which I’m going to read in – I’m going to read in a monotone, right? No, actually, I’m

[ 89]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

going to do it in – the Marxist perspective on cybersecurity. But since it is cybersecurity, it’ll be Groucho, right? I want you to put one word in your head here, the maybe one word you could take away with – actually, two words you could take away. The one word is cacophony – if I could say it, you would know what it is. But it’s a Greek word that means a lot of noise. And so what we’re seeing now with cybersecurity is a lot of noise. The other word, and I’ll come back to it, is transition. And I thought to myself, you know, it’s the end of the day, I’ll talk fast and I’ll go quickly. And so I wanted to read a prepared statement. Since the private sector owns 190 percent of critical infrastructure, if we strengthen public-private partnerships to improve informationsharing and situational awareness, it will empower innovation and risk management in the cyberecosystem. Thank you. Thank you. I ask you, ladies and gentlemen, what more is there to say, you know? And the answer is, quite a bit, unfortunately, because we’ve been saying that sort of nonsense now since about 1998. It doesn’t work, right? So where are we? And I want you to think three transitions here. The first is, we’re in a technological transition: how people connect to the Internet. It’s going to be mobile and it’s going to be managed. And last year was an interesting year, because it was the first year that pads outsold PCs. How you connect will be different, and it’s going to shift the locus of security, right? Second thing I want you to think about is the pioneering American ideology, the way we saw the Internet, right, and the way we thought about governance, right, and the way we thought [90] Georgetown Journal of International Affairs

about the role of government and why it should be limited. You heard all that. The pioneering American ideology is collapsing, for two reasons. One, the Internet isn’t American anymore. And two, it doesn’t work, right? So even we are having a hard time sort of keeping the boat inflated, with so many holes in it. Finally, you want to think about the extension of sovereignty. And other people have talked about that. There are clearly borders in cyberspace, right? Governments have figured this out. They’ve figured out that all this stuff they heard about how it was going to be a self-organizing global commune – we’re the Internet community, we deliver – (makes snoozing noise). (Laughter.) You know, come on. (Makes slapping noise.) Oh, I’m sorry, I must have dozed off. (Laughter.) It’s over, right? (Chuckles.) And so governments are moving into cyberspace, and they’re doing it, some of them, in a very obtrusive fashion. Others are not. So the issue for us, and the one that – this panel’s been a little unusual because we actually talked about the topic we were assigned – (laughter) – but how do we manage this transition? We’re in this big transition. How do we manage this transition to an Internet that will have a greater role for government without losing the values that we cherish? And a guy named Stefandre Holsteune, who works at the Marco Foundation, he said something to me that was very interesting. He said, look, it’s clearly not a commons, right? That’s delusional. But the values behind the commons – openness, access – those are worth thinking about. And so don’t think of it as a commons, but think of the values we cherish.

International Engagement on Cyber

And how do we preserve those values? How do we preserve those values in this period of transition and in a period where – and something that hasn’t come up so much – where the other guys all fear us, right? Another acquaintance of mine said that to foreigners, we are the borg: You know, prepare to be assimilated. And they – you know, when we say things like “dominate,” it has a reaction. And so one of my – when I advise DOD, I say, you know, it’s OK to want to dominate. Just don’t say it. Right? But so that’s – no, we would never do that. Trust me. Right? So the key political issue, right, on the international side is what I would call the big trade. And there was a quote by the president of Russia that didn’t make the Western press, and I was a little surprised by it. It was in the Russian press. And what he said is, see what happened with social networks in Tunisia and Egypt? They’re going to do that to us next. That’s an amazing quote, isn’t it? So when you think about that, what we’re basically asking some of our opponents in cyberspace to do sometimes is we’re asking them to commit suicide. And we’re always a little surprised that they don’t go along with it, you know? Come on, is this such a big thing to ask? Right? Because there’s an implicit conflict here, and there’s a real political risk to authoritarian regimes. And so the deal, as Michele could tell you or Frank could tell you, any of these guys could tell you – the deal that they want is, we’ll deal with you on military risk and espionage and cybercrime. You deal with us on the political threat to our regimes. And that’s going to be a very hard deal to broker. We will have to deal with it.

And I think that when we think about this, the solution probably lies in thinking about sovereignty, in thinking about governance. For me, these are issues where only the government, right, will be able to lead, right? And so you hear the private sector will do this, the private sector will do that. The private sector won’t do it. We need to think – as Jeff Carr mentioned today, we need to think about how do we build consensus among governments. You heard some good presentations on how far apart we are. I know from the thing that Michele led at the U.N. – it was a three-week meeting. One entire week was spent fighting over the title, right? What do we call this? And they couldn’t agree. So there’s a hint, as we’ve heard, right? But how do we build consensus? And that will require leadership from governments. How do we articulate the vision of this new consensus that will not be the old pioneering nonsense about government, non-government actors and communal action and voluntary stuff but will do something where states preserve the political values that we cherish? This is now a global institution, and maybe it’s time for it to grow up, right? It’s a global – it’s – pardon me, it’s a global infrastructure, and maybe it needs global institutions. And when you say institutions, that does not mean the ITU, right? (Chuckles.) But it does mean agreement on norms, some kind of consensus, a place to work together, none of which exists. And so when we think about the international problem, that’s what we’re going to have to deal with, right? Security and governance are irrevocably linked. And one of the things that we’ve heard today is, you know, as we improve

[ 91 ]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

at the sort of lower-end things – you know, Windows 7 is better than Windows XP – you’re not going to eliminate the high-end threat. The people who did Stuxnet are going to beat anything that any company can come up with. So at some level, we will need to address this as a governance issue if we want to really depend on this thing and realize its full potential. So I have some requests, and that’s what I’m going to end on. We are in a period not only of transition; we’re in a period of cacophony, where everybody and their dog now has a white paper on cyberwarfare or something. And a lot of them are better than the stuff I write, so I’m not being critical. I mean, that’s a low bar. But do me some favors, right? First of all, let’s try and be more precise in our discussion here. And I’m as guilty of this as everyone. We all say cyberweapons; there is no such thing. Everything is a cyberattack, right? Everything is not an attack. Can we be a little more precise? The second thing is, can we bring in data, right? We use analogies, we use stories, we use anecdotes. We use myth, we use legend, we use fairy tales and magical thinking. How about a little data, right? So when people talk about things like market failure, OK, I can measure that, you know? Let’s start measuring this and let’s get real data. And one of the things that’s happened in the past few years is we now have the ability to collect real data. And that will change the cybersecurity debate. You can help. Finally, do me a favor: Lose the blinders, right? Because we tend to think – you know, people still approach cybersecurity in this way that comes out of the 1990s. I don’t see any solutions. Lose the blinders, right? We need to [92] Georgetown Journal of International Affairs

rethink our ideologies. Cyberspace is not that unique, right? We are returning to the norm where the states, initially baffled by this new thing, have figured out how to deal with it. And this will become largely a state issue for me, and we will have to deal with that. So do me a favor. Think about all these things. Think about how we improve methods in the debate here. And maybe we can make some progress in the international realm.

MR. KRAMER: Floor’s open for questions, and the shorter your question, the quicker the drinks.

Q: My name is Randy Ford. I’m with

Raytheon. Mary Beth, was interested, you talked about international engagement, you talked about DHS, you talked about Justice, you talked about NATO. And just exactly like the deputy secretary of defense’s article in Foreign Affairs magazine last fall, you didn’t use the words diplomacy, and the Department of State was never mentioned. So I’m –

MS. MARKOFF: She did mention – MS. MORGAN: No, I did mention

the

Department

State.

Q: Well, deputy secretary of defense

didn’t mention Department of State or diplomacy or foreign policy in his seminal article last year. You talked about whole of government. Now, I’m just kind of curious, who’s in charge of the foreign policy of cyberspace for the United States? Is it Department of State? Is it the Department of Defense? You’re talking about going off of international engagement. Michele’s talking about bilats with other countries

International Engagement on Cyber

that get into arms-control-type things. So where’s the connection? How is the U.S. government – this whole-of-government – tell us where that’s actually – where does – where does the connectivity take place, and where can we understand where the dialogue is and the liaison and so forth is actually happening?

going to be areas where we as a military, our mil-to-mil relations are going to be able to advance with certain friends and partners. And I’ll let Michele –

MS. MARKOFF: Yeah, I would

add – I would add as well that the basic U.S. submission a year ago to the GGE really represented a categorical jumpMR. KRAMER: Why don’t shift in U.S. policy. It was a policy you go ahead, Mary Beth, where we did not talk about state-onbut then, Michele, jump in. state activities, political-military activities in an international context at all. MS. MORGAN: Yeah, no, I mean, It was through collaboration between I think that’s a fair question. But clearly OSD and us that we actually came up the State Department is in charge of with the basic position that we were foreign policy for the United States able to put forward, that talked about government. We work this issue in an the law of armed conflict, international interagency process. Through that pro- humanitarian law, and affirmed this. It cess, DOD is part of that team and went through a big interagency scrub helps and assists State Department on and a White House scrub. It was truly, I whatever it needs in this area. The ele- believe, an interagency document. And ments that Michele was discussing have both in the GGE, in Moscow bilats, large impacts and we have large equi- wherever we go, I have my trusty OSD ties in what’s going on. So we’re part colleagues with me. And that’s not just of that interagency team, just as we are OSD. I have Justice, I have the intelon any other type of traditional engage- ligence community, I have others. It ment that we have as a department. really is a very, now, I believe, effecNow, as a department, we main- tive, collaborative approach. And it is tain military relationships around the allowing us, actually, to evolve our posiworld with our colleagues in the min- tions much more closely and with much istries of defense. As we do that, the greater alacrity, especially the norms State Department is always connect- issue. It’s a huge step to think where we ed and informed of what is going on. go with the notion of norms post-IHL. So, you know, the emphasis of the We will have – somebody talked earlier deputy secretary’s Foreign Affairs article – there will be a new international cyberwas kind of the larger thought piece. It strategy which will have some key pieces, was – it was not meant to say that diplo- but that won’t answer all of the mail in macy isn’t important. We believe that it’s the pol-mil context. And I believe it important, to the – to the point that one will be through collaboration with OSD very large aspect of our strategy is inter- is the only way that we’re really going national engagement. And it very clearly to be able to move forward effectively. states that that is with the lead of State Department, with us there. And there’s [ 93]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

MR. LEWIS: Let me throw in a Q: Question is, what do you think quick note here, Frank, which is that I do talk to some of our larger foreign opponents, and what I hear from them routinely is, oh, we’re so envious. Your interagency process works so well. Right? And from their perspective – so it’s all relative, you know? It looks – inside the baseball diamond it looks messy, but from the outsiders, we’re the borg.

actually will be – will happen with – (inaudible) – international cooperation? How are we going to bring the other countries on the table?

MR. KRAMER: Well, do you want to take one? And then Jim?

MS. MARKOFF: Sure. Well, we

have a – we – with what we came out of Q: Yes, thank you. I’m Vinny Markovsky. of the GGE, it really framed the issue. I I’m speaking in my personal capacity believe that our close allies and actually as a cyberexpert who happened to be, some of the other countries of the 14 eight years ago, with Michele Markoff, that were in the GGE have thoroughly Chris Painter, and others at the first bought on to the notion of norms as southeast European international con- a way forward. We are going to discuss ference on cybersecurity cooperation. this with our allies and PfP countries And I see that there is a big progress. in the context of OS – in the OSCE We were held – we had this conference in May. We will use other multilateral in Bulgaria; now we have it in Wash- opportunities to develop this. We will ington, D.C. But the topics – if you go back to the UNGA this fall with some guys go to cybersecuritycooperation.org, new ideas, maybe a new resolution. the presentations are there, and they I think there’s a lot of ways where we sound as if they were written yesterday, can socialize these ideas and elicit from except maybe what President Medvedev other states their own ideas, because said. And I want to thank Jim here, I don’t think we have a monopobecause the issues that we are discuss- ly on all the good ideas in this area. ing what’s going around the world, but we are actually – we didn’t hear except MR. FEI: Yeah. I think from China’s probably from the – from the gentle- respect, China really encourages difman from China, who is a Fulbright ferent kinds of cooperation among the scholar, so obviously he spent some different countries, both bilaterally or time here, what the others are thinking multilaterally. And China and the Unitabout this cybersecurity cooperation. ed States, we already have a bilateral talk And I would like to hear, actually – I about the Internet, about cybersecurity mean, and putting in brackets: It’s very cooperation. And also, China is very – good that women are now in charge. China emphasizes the new implied form Hillary Clinton took the – kind of the to start the deep research on cyberselead to – (inaudible) – our nation- curity, because the technology develops al – I mean, cyberambassador. And – very fast. So how can – really start or substance cooperations? That’s very imporMR. KRAMER: What’s tant; needs an expert to research first. your – what’s your question? [94] Georgetown Journal of International Affairs

International Engagement on Cyber

MR. KLIMBURG: As somebody is do we also have to accept that nationwho has – who worked with – actually, with Michele three years ago on the – two-and-a-half years ago on the OSCE floor, where I was with the Austrian delegation, I think it’s – things have changed a lot, from the international perspective, especially from the European perspective. The United States a couple of years ago was not really willing to engage with other countries on their capabilities; was more willing to have their – have other countries develop their own capabilities. And now there’s much more talk about working together on a cooperative level. For instance, what happened also in Mexico is – was a sea change from the European point of view. The Europeans previously were always for internationalization of the entire Internet governance issue and were kind of resistant to calls to maybe – maybe ICANN is the best of a whole bunch of bad options. And people changed their minds. They changed – people changed their mind because we discovered that we do have common values that were more important than wishes, that we have to work together on these issues. And also, the present discussion on rules and norms of behavior, that also is a very new development. The United States was not willing, I think, to go down that track three years ago. They are now. And from the European perspective, that is definitely, definitely welcoming.

states will try to forward-deploy cyberwarfare tools in each other’s territory?

MR. LEWIS: You know, I think that – we’re just going to – this – we tend to overstate the effect of cyberconflict and cyberwar. And so – you know, some – we all know there’s a famous statement from someone who said, it’s like nuclear war. It’s not like nuclear war. But it is a new way to attack opponents. It is a new military capability. Right now I think we could say five or six countries have advanced capabilities. Another 20 or 30 are trying to acquire advanced capabilities. And it’s on the path that airplanes were on, you know? Everyone will have this capability, and everyone will plan for its use. But I think they will be careful to try and observe the thresholds, implicit or otherwise, set by the law of conflict, which you, of course, know very well, and that is that doing reconnaissance, planning, developing the capability, all perfectly legitimate. Actually intruding and planting something on someone’s network, potentially a violation, something that crosses the border into the use of force. So I don’t think we’ll see it. I think we’ll see a lot of sniffing around, as we already have. And I’ll think – I think we’ll see the capability. It will be part of wars in the future, but I don’t worry so much about that.

Q: Good evening. My name is Sean MR. KRAMER: Can I jump in? Canuck. I’m a U.S. national security analyst. In one of the panels this morning, General Hayden very simply accepted the fact that nation-states will try to steal each other’s information in cyberspace. My question, very simply,

because one of the things the U.S. did was to put forward the notion, accept the laws of armed conflict. One of the elements of the laws of armed conflicts is the law of mine warfare and naval mines. (Inaudible) – it’s illegal under mine [ 95]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

warfare doctrine to put an active mine into somebody else’s territorial waters. You can decide whether or not that’s an analogy that you like with respect to cyber. It’s just an analogy. It’s Jim’s point; I just want to make it a little more specific. The second thing is that if – and I think it’s important to say this; it’s been said a couple of times – if one thinks back to – it’s now, I think, about 13 years when we all got the first use of Google, right? The Internet’s changed a lot. I will be extremely surprised if it doesn’t change a lot in the next 13 years. It’s a bad idea to straight-line the concept of the Internet or cyber or whatever you want to talk about. And so that may change the set of opportunities, both from a warfare point of view, from an international point of view and the like. Everybody has to think today, but straight-lining is not a very good way to predict the future.

there was legislation passed, and two, the ability of the government to speak with one voice. Is that correct? With respect to the legislation, I think you heard this morning that the congressman who’s – who is the – either the key or one of the key people in the House said that he thought there was a good chance that there would be cybersecurity legislation. What I don’t think anyone knows yet is what the content of that legislation would be, whether it’ll be broad or narrow. The White House is thinking about broad, but they’re not sure. You could see a much narrower kind of approach that might just affect the critical infrastructures. It’s not clear. With respect to the ability of the government to speak with one voice, that’s never happened before. (Laughter.) But it’s doing better. And I – without trying to have Michele or Mary Beth say what, in Q: Yes, good evening. Thank you for effect, they’ve already said before, which your panel and your – the discussions. is to say, they do work together closely, I was wondering – you know, as we try and that the White House actually now to formalize a global strategy in cyber- has a coordinator, and DHS and DOD security, what I observe locally is that have actually signed a memorandum of we don’t seem to have – we don’t seem understanding – it’s not a surprise that to have a local – a U.S. cybersecu- there are multiple voices in the U.S. rity strategy. And I believe the cyber- government. The issue is whether they security act has not been passed as yet. can coordinate them effectively. We have So I was wondering if you have any pretty good people trying to do that, and comments on the progress made on if it’s all right, I’ll just speak for you and those two areas locally, so that it’ll say you’re working hard at that issue. enable us to speak with one voice as we go onto the global stage. Thanks. MR. LEWIS: Remember we’ve got the 60-day review as well, MR. LEWIS: Our government which is still – you know, it’s still colleagues will take that one on first. sort of a good plan to work off of. So we have gone through another iteraMR. KRAMER: If I understood tion. And I know it took 120 days to do the the question correctly, there were – 60-day review, and maybe that’s a hint. there were two parts. One, whether [96] Georgetown Journal of International Affairs

International Engagement on Cyber

MR.

KRAMER:

Well, an attorney here in Washington. I’ve like. read and heard anecdotally from military personnel that I know that one of Q: My name is Walter Girassic. I am life- the biggest, if not the biggest, cybertime student and observer. (Laughter.) security threat is social engineering. Through the history, we had classi- And I was just wondering, maybe for cal, industrial and political spies. And Mary Beth or the rest of the panel, today we have cyberspies. My question to if you could speak specifically to what you: The spy agencies across the world, the U.S. is hoping to do in that area. from Russia KGB to CIA to other, do they have any agreement that they will MR. KRAMER: I think we not use cybertechnology to spy on each should hear from the U.S., but I’d other? And what are we going to do also be interested in hearing the with the youth, young men and women Chinese view, if you’re willing. who are highly qualified and they do not have a jobs? They will find some- MS. MORGAN: What do you where to go who will pay them highly, mean in terms of “in that space”? salary, and work for someone who is really unfriendly to world community. Q: I guess I’m just thinking of stories I’ve read about thumb drives MR. KRAMER: Jim, you’re being picked up, infected thumb a former – you’re a former, so drives, or military personnel mayyou can answer the spying ques- be leaving computers unguarded. tion better than the current people. MS. MORGAN: Yeah, the notion of MR. LEWIS: What? No, I’m actually kind of the malicious insider, the ease – of course there’s no agreement on not of thumb drives and DVDs. And, you doing anything. And the answer where know, then there’s the social media sites the young people go – well, in Moscow that are also another attack vector, that they go to the – work for the govern- if you’re a military personnel and you’ve ment. So, you know, one of the things got a Facebook page, hopefully you’re that would be a benefit of having a better not putting your uniform where you’re articulation of governments and values located and all of these other things, and norms, all the things you’ve heard because it’s another way that actors can from Michele on down, is it would find out information. So it can create put boundaries around the degree of an operational security risk when you’re espionage and make it a little more nor- engaged in kind of the Twitter and mal. What we have now is an unusual the Facebook world. You have to think situation where the U.S. in particular, about what is your cyberidentity and because of political choices, is amazingly what’s your cyberprofile that’s out there. vulnerable. And when that changes, I It doesn’t mean that folks can’t use it. think you’ll see espionage under control. It’s just you have to be thinking that it’s not this anonymous space: that you Q: Hi, my name is Rebecca Lewis. I’m and I, you know, are talking privately and

the

CNC

and

the

[ 97 ]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

in a room, closed door. When you put that out there, anybody can see it and anybody can hack into those elements. The notion of, you know, thumb drives and DVDs – we at the department unfortunately have had a lot of experience in that in the past year. And those are new techniques for adversaries and threat vectors to come at us. So we’ve had to look at our internal policies of how do we do business. I can’t – if I’m traveling with the secretary of defense, I can’t use a thumb drive anymore. I have to take – I have to do other things to make sure I have all the files that I need to support him when I’m traveling. That’s just an example. But there are real operational impacts when you’re downrange. When we do certain tasking orders or flight combat or weapons systems, a lot of that is cyberenabled. And so there are real – when you say you can’t use a thumb drive anymore, for me, OK, I’ll work around. I’m writing memos and papers and, you know, trying to get things done within the building. But there could be a uniformed military person in the area of hostility, in Afghanistan or Iraq, that’s dependent on that, because that’s how they load things into their weapons system that they need to use. So when we have to take action against these new threat vectors, we have to consider all the ripple effects that come into play. And it’s nowhere near as easy as people think it is. And oftentimes we don’t know until, you know, something’s promulgated and then somebody raises their hand and says, but wait a minute, I really need this. And then how do we exempt or how do we mitigate that and deal with it at the same time? So it’s a huge, huge challenge. And the [98] Georgetown Journal of International Affairs

Facebooks and the Twitters of the world, when you’re dealing with a military force that’s much younger and much more computer-savvy, is used to being online, it becomes a morale issue. But then there’s also the operational-security issues that we have to take care of. And it’s a very difficult set of choices and management that we have to deal with.

MR. KRAMER: Gao Fei, would you like to talk about the Chinese?

MR. FEI: I have no idea about

that. About the Facebook, or – ?

MR. KRAMER: Yeah. MR. FEI: Actually, I don’t know how to

use the Facebook. And in China, I never heard about that. Just some my friends send the link of Facebook, but I’m very locked into – (inaudible). (Inaudible) – I only use the Internet to search some academic articles or some – use that e-mail. But as I know, in China, the Facebook was blocked because – (inaudible) – war that China – China, if – you see, China has a strategy for separate security. It’s a negative strategy – negative defensive strategy – (inaudible) – war. And some Chinese people, they are very like to – if you are some pretty famous person, they put everything online. Everybody can see your family, your godfather, your father, what – type in the name. So the Chinese government dislikes that, and – yeah. So partly for this reason, I don’t –

MR. KLIMBURG: I just want to

quickly pick up on the question, because I think it addresses a much larger issue, which is, in Europe and the U.S. and the Western world in general, there are

International Engagement on Cyber

a lot of complaints about how intrusive, for instance, legislation is becoming; how much – how the government always wants increased information from us, and how we have to be aware of Big Brother cap. And nobody really thinks about how much benefits we’ve actually derived from this new openness already in terms of Facebook, in terms of social media, in terms of the Internet overall. And some of this new openness and some of the benefits that have come from this openness is – are going to require changed behaviors. And some of these behaviors will be voluntary, and that means, for instance, not being – doing stupid things online. And some things will have to be mandated by government.

MR. KRAMER: Last question. Q: Hi. Thank you for letting me ask my

question. My name’s Amanda Palleschi. I’m with Inside the Pentagon, and my question’s also for Mary Beth. You had mentioned that Secretary Gates is planning on signing a comprehensive cybersecurity strategy in the next coming days. If you could – if you could come up with maybe the one or two most important things that you expect that strategy to be able to do to kind of move us forward in terms of different agencies working together, working with our international partners, that sort of thing, if you had to say what the two most important things that are going to come out of that would be, what would they be?

what the strategy does is, it’s the first time ever that the department has put together a comprehensive strategy. So in a way it’s hurting all the disparate elements of the department and vectoring them into vectoring their energy. So it will help the department better organize, train, and equip, and be prepared for its operations across, you know, the spectrum, whether it’s military, it’s business operations, as well as intelligence activities. But it’s a way for us to ensure that we’re organizing in the right way, that we’re training in the right way, that we’re resourcing in the right way. And it provides a flexible structure so that as this environment and the strategic context changes over time, the department can change and develop over time. It’s a great challenge. I mean, we’re a huge department. So herding the cats has been part of the challenge in doing this, of getting everybody’s perspective and bringing some level of organization. So I think that’s a real key use to all of this, as it gets everybody on the same page and moving forward together so that we do have a more strategic approach to this area.

Q: And I’m assuming U.S. Cyber Com-

mand and the various forces within the services were involved and that they’re included in the spectrum as well? OK.

MS. MORGAN: Absolutely. Absolutely, as were our interagency counterparts, in taking a review, absolutely.

MS. MORGAN: I think what the MR. KRAMER: Right. The Siastrategy that we’ve, you know, developed, and once it’s signed – so I have to preface all of that, that it’s still pre-decisional, until the secretary signs it. But I think

mese twins in the interagency are on my left. Well, we’ve reached the end of our time. All of you deserve enormous congratulations for sitting upright in

[ 99]

PANEL 4: NATIONAL AND GLOBAL STRATEGIES FOR MANAGING CYBERSPACE AND SECURITY

your seats. I understand that there is going to be a reception. Catherine will let us know exactly where we’re going and what we’re doing. But I thank you very much for the panel. (Applause.) If you don’t mind just staying for one minute, because I’m going to take about two minutes and wrap up, tell everyone what to do. Today’s conference has certainly been both comprehensive and informative, thanks to the insights of our panelists, the leadership from the panel chairs, and the questions and topics you all have raised. At Georgetown University, we strive to better understand the issues facing the global community, while providing a forum for continued dialogue and debate. This conference has certainly achieved its objective of promoting such discourse among policymakers, academics and key industry stakeholders in cyberspace, as we continue to grow more interconnected. I would like to thank Spirostine Moulitsas, senior vice president for the university, for his continued support and vision for the cyberproject, and Dr. Chris Joyner, the director of the Institute for Law, Science, and Global Security. I want to extend a sincere thanks to the Atlantic Council members who played a key role in today’s event: the council’s president and CEO, Fred Kemp, vice chairman, Frank Kramer, and Damon Wilson, the council’s executive vice president.

[100] Georgetown Journal of International Affairs

Also want to welcome to the Atlantic Council Jay Healey. Jason Healey’scurrently teaching his class here on campus. He will be the new incoming director of cyber statecraft initiative at the Atlantic Council. I want to recognize Matt Angelo, whose hard work may go unnoticed but never unappreciated. Lastly, today’s conference was a success mainly because of the work done every day by all of the panelists. Their contributions today and their daily dedication to the advancement of cybersecurity for the global community is truly significant and remarkable. So thank you. Video of today’s proceedings will be available online at lsgs.georgetown.edu. We’ll push out e-mails to everybody who RSVP’d so you’ll know it’ll be available. The Georgetown University Journal of International Affairs will be publishing a special issue based on today’s conference. It will include the proceedings from today as well as individual articles submitted by participants. I encourage you to consider submitting an article. Thank you all again for your participation today. It’s been a long and productive day. And in the words of a good friend of mine, Professor Tony Arend here at Georgetown, it’s time to rock and roll. Please join me in Dahlgren Quad for a reception – it might be a little chilly – and the chance to maybe relax a little and talk among friends and colleagues. Thank you once again.

Introduction: Strengthening the Norms of State Responsibility Catherine Lotrionte “This world – cyberspace - is a world that we depend on every single day. . . [it] has made us more interconnected than at any time in human history.” -President Barack Obama, 29 May 2009 The rapidly changing structure of the global system over the last decade has brought international legal issues to the forefront of national policy and international relations. Virtually every international issue – from the control of weapons of mass destruction to environmental protection to cybersecurity– is wrapped in negotiated agreements and multilateral regimes that have been constructed by states with a shared interest in their observance. International law not only protects the status quo, but also reflects the aspirations of the leading members of the international systems in terms of promoting a stable and productive world order. In 2003, Georgetown University established the Institute for Law, Science & Global Security (the “Institute”). The Institute’s mission is to address emerging issues at the nexus of science and international law, and to contribute to the long-term stability and safety of our global society. Through a combination of high-caliber academic teaching, cuttingedge research, and the training of future policymakers, the Institute serves a dual purpose. First, the Institute seeks to inform academic and public policy discussions about critical

Catherine Lotrionte is the Executive Director of the Institute for Law, Science & Global Security and Visiting Assistant Professor of Government and Foreign Service at Georgetown University. Dr. Lotrionte has served as Counsel to the President’s Foreign Intelligence Advisory Board at the White House and as Assistant General Counsel at the Central Intelligence Agency. Dr. Lotrionte is the Director and Founder of the Cyber Project at Georgetown University and a Life Member of the Council on Foreign Relations.

[101]

INTRODUCTION: STRENGTHENING THE NORMS OF STATE RESPONSIBILITY

international issues where normative and legal considerations are at stake. Second, the Institute seeks to develop innovative methods of research and teaching – at both the undergraduate and graduate level. Situated in the nation’s capital and at the heart of United States foreign policy, the Institute is uniquely able to harness Washington DC’s resources to engage policymakers involved in some of the nation’s most pressing foreign policy issues. Cognizant of its place at the crossroads of academia and public policy, the Institute in 2007 helped to establish Georgetown University’s Cyber Project. The Cyber Project seeks to hone the Institute’s resources to help policymakers develop a greater understanding of current international cybersecurity issues. To that end, on 29 March 2011, Georgetown University and the Atlantic Council co-hosted an international conference entitled “International Engagement on Cyber: Establishing International Norms & Improved Cyber Security.” We have devoted this entire current issue of the Georgetown Journal of International Affairs to cyberspace and the challenges that societies face as they co-exist in this new domain. In the pages that follow, the symposium’s participants, who include foreign and domestic policymakers, private sector leaders, and notable scholars, lay out their visions for protecting cyberspace from harmful actors.

Tackling the Current and Future Threats to Cyberspace

Cyberspace has empowered people to conduct business across borders in seconds, run power plants through centralized control systems, and even coor-

[102] Georgetown Journal of International Affairs

dinate the movements of troops in distant locations.1 While the growth of cyber technology is a significant driver for economic growth, it also creates vulnerabilities for modern societies and opportunities for potential hacker groups and non-state actors to exploit weaknesses in cyber systems for either economic or political gain.2 From the minor theft of bank account information to the extreme case of a disastrous piece of malware destroying an electrical grid, non-state actors have the ability to create serious damage to individuals or states around the globe with just the click of a mouse.3 States have begun to recognize the need to work through international channels in order to secure cyberspace so that all of its benefits may remain. Indeed, on 16 May 2011, President Obama released the nation’s “International Strategy for Cyberspace.”4 In recognizing the challenges posed by malevolent actors who threaten the security of the Internet, the President called upon states to “work towards building the rule of law, to prevent the risks of logging on from outweighing its benefits.”5 In its 2009 Cyberspace Policy Review, the Obama administration concluded, “[i]nternational norms are critical to establishing a secure and thriving digital infrastructure.”6 The United States is formulating its domestic policy for cyber as it begins serious work at the international level to coordinate with other states to develop consensus on what is responsible behavior in cyberspace. International law and the principles and norms that are the basis of international cooperation are the bedrock for the future success of these efforts

LOTRIONTE

and central to securing cyberspace for all. As the National Research Council Committee on Deterring Cyberattacks noted in 2010, “whatever the useful scope for deterrence, there may also be a complementary and helpful role for international legal regimes and codes of behavior designed to reduce the likelihood of highly destructive cyberattacks

International Engagement on Cyber

important for an acceptance of the need for international engagement among states. For effective cybersecurity, it is paramount that engagement takes place at the government level. Efforts to harmonize domestic legislation, improve law enforcement collaboration, and socialize norms of state responsibility for cybersecurity are some of the fun-

States have begun to recognize the need

to work through international channels in order to secure cyberspace so that all of its benefits may remain. and to minimize the consequences if cyberattacks do occur. That is, participation in international agreements may be an important aspect of U.S. policy.”7 The ability of non-state actors to wreak havoc worldwide through cyberattacks raises the issue of what obligations governments have to prevent non-state actors within their borders from carrying out cyber operations that could do damage to others abroad. As with other transnational activities, the Internet, cyber systems, and networks within a state’s territory are subject to the state’s control.8 Two conclusions flow from this fact. First, if states have control over these activities one must determine the level of state responsibility for such activities when they are destructive to others. When and how should the state be held responsible? And what factors will be weighed in determining ultimate state responsibility? Second, state control implies that state support will be necessary for achieving effective cyber security norms. This point is critically

damental first steps to ensuring a safe, useful, and secure Internet. Further, as many of the authors in this issue suggest, “an alliance of key business and government stakeholders” that is made up of both “U.S. and international” participants is essential.9 As Kellermann notes in his article, “Civilizing Cyberspace,” the “private sector needs a seat at the table with government.”10

Effective Responses: Strengthening Norms of State Responsibility In the case of a major cyber attack, it is possible the United States or any other country that would be targeted would want to respond, either through diplomatic action or, in very serious cases that reach the level of an armed attack, through a use of force. Indeed, in his article, Herb Lin explores the issue of appropriate and proportionate responses to cyber attacks that fall below the armed attack threshold. Lin argues that further research must be undertaken so that policymakers know what to

[ 1 0 3]

INTRODUCTION: STRENGTHENING THE NORMS OF STATE RESPONSIBILITY

do in response to a cyberattack that does not rise to the armed attack threshold. Moreover, deciding what is to be done is just the first part of this difficult analysis. Deciding against whom to take action is the second. Unlike traditional theaters of war, attribution in cyberspace is much more challenging. Thus, what can a state legally do if the attacker is unknown? Even if those responsible are known and attribution is not an issue, what if the state claims no control over the non-state actor? Is there a legal basis already within current international law that can be used to overcome these issues in order to regularize the use of cyberspace, or is this a totally

active intrusion into internal affairs of a state. In the context of cyberspace, however, this principle also imposes a due diligence requirement on a state to prevent intrusions of another state’s sovereignty from its territory: “[s]tates should recognize and act on their responsibility to protect information infrastructures and secure national systems from damage and misuse.”12 In developing a strategy for strengthening the norm of state responsibility in cyberspace, states must coordinate diplomacy. All participants in Georgetown’s International Engagement on Cyber conference seemed to agree that cooperation is paramount if cyberspace

In developing a strategy for strengthening the norm of state responsibility in cyberspace, states must coordinate diplomacy. new problem that requires a completely new conception of international law? While a universal agreement from the international community on every aspect of a cybersecurity strategy may be impossible to achieve, strengthening the norm of state responsibility in cyberspace to prevent cyber attacks emanating from within their borders is critical. The principle that states have a responsibility to prevent harm to other states is strongly engrained in international law, both treaty law and custom.11 Examples can be drawn from “use of force” law, environmental law, and the legal frameworks governing current counterterrorism efforts. Furthermore, the preemptory customary principle of sovereignty under international law declares intolerable any

[104] Georgetown Journal of International Affairs

is to be secured from malicious actors. The greatest potential to influence states to act responsibly in terms of prosecuting hackers is through norm-based policy and international economic incentives. International legal mechanisms like the Council of Europe Convention on Cybercrime and the Budapest Convention on Cybercrime offer good starting points. Other options may include a cyber treaty that focuses on limiting what would be acceptable targets during cyber conflict.13 The goal of these norm-based agreements would be the creation of a “norm cascade,” where the norm of criminalizing activities that render the Internet unsecure and prosecuting the offenders domestically becomes more deeply engrained throughout international society.

LOTRIONTE

Creating a legal regime in cyberspace will be a challenge given the limited capabilities for attribution, the lack of significant oversight, and the material power of those that are actively harboring and supporting hacker activity. Establishing the norm of state responsibility and endorsing a standard for attributing the actions of private actors to the states in which they operate, however, will offer hope for a normative framework to diplomatically engage states that harbor hackers. Since 9/11, a lower standard of state responsibility has been promulgated that holds governments responsible for terrorist attacks that were planned within its borders. For instance, after 9/11, the global community held the Taliban responsible for al Qaeda terrorist attacks planned from Afghanistan. This standard offered a legal framework that was more practically viable than one based on a direct causal relationship between the non-state actor, al Qaeda, and the government, the Taliban. Based on this standard, if the Taliban could not demonstrate that it conducted its due diligence in trying to prevent al Qaeda from launching attacks from Afghanistan, then the Taliban would be in violation of its international obligations and would thus be responsible for the 9/11 attacks. Historically, the international principle of state responsibility had been based on a finding that the state had direct control over the offending nonstate actor and attribution to the state was feasible, thereby allowing others to hold the state culpable for the offending non-state actor’s actions. But international cases and court decisions that utilized this standard in finding state

International Engagement on Cyber

responsibility did not envision – nor were they faced with – modern terrorism or the evolution of the Internet. Certainly, finding a clear case of effective control by the state over a non-state group will likely be impossible in cyberspace where communications can be made instantly, funds can be shifted relatively anonymously, and actions can be routed globally.14 As with international terrorism, states that fail to take the initiative to prevent cybercrime and cyber attacks can be held responsible for any breach to international peace and security caused by those cyber operations. As more and more control systems become automated and the very lives of people all over the world become reliant on cyber systems, the scope, veracity, and sheer number of malicious hacker activities are likely to increase. States must establish a minimal norms-based framework for these activities in order to ensure that responses to cyber threats are responsible and diplomatic. Given the challenges that cyberspace offers to the security of the international community, strengthening an international norm of state responsibility may provide the precise framework necessary for diplomatic negotiations and a more secure and accountable cyberspace environment. The central thrust of diplomatic discussions on a norm of state responsibility for cybersecurity would focus on codifying domestic criminal legislation against hacking, utilizing these laws to prosecute those that break the law, and cooperating with other nations to share information and to allow others to investigate within the host-state’s territory. These criteria for assessing state responsibility would focus on the host-state’s actions and

[ 1 0 5]

INTRODUCTION: STRENGTHENING THE NORMS OF STATE RESPONSIBILITY

whether they are in line with its legal obligations to prevent the occurrence of a cyber attack. Under this standard, while a host-state may not be responsible for the acts of private individuals who have taken down a server in the United States, it will be responsible if it fails to take all necessary steps to protect the security and misuse of the Internet in its country or to minimize and mitigate the damage caused by any misuse.

Looking Ahead As cyber events have become more visible worldwide in recent years, writing about cybersecurity has increased in importance. The authors in this issue include current and former government and cybersecurity professionals who have dedicated their professional lives to making cyberspace more secure. For the March conference and this issue we challenged these authors to address some of the most difficult issues within cyberspace such as: • How should the U.S. government use its authorities to protect those infrastructures that are critical to our national security? • What are some of the innovative models for private-public partnership? • Would the traditional international norms regulating the use of cyberspace be an effective way forward? For the most part, the authors included in this anthology agree that over that last few years, cyber crime and cyber attacks have matured into a global phenomenon. As Ron Plesco and Phyllis Schneck aptly note, combating this trend “will require a confluence of policy and technology, to bring international law together with the communications infrastructure to ensure cybersecurity and resiliency at the

[106] Georgetown Journal of International Affairs

speed of light with the ability to enforce and prosecute.” Several of the authors included in this collection outline the nature of the cyberattacks threat and the potential responses that states may undertake when they are attacked. Most of them also suggest that the way forward must include public-private alliances and multilateral engagement. Cyberspace is a new frontier that knows neither public-private nor international boundaries. Therefore, unilateral action – be it a state- or corporate- initiative – will be insufficient. In the first set of articles, two scholars set forth their visions for the future of cyberspace. In the article, “The Five Futures of Cyber Conflict of Cooperation,” Jason Healey posits five likely futures of Internet-based conflict and cooperation, and envisions the cyber conflicts of the future. For Healey, the future of cyberspace will lie in a gradient between “paradise” – a state of international cooperation – and “cybergeddon” – a state of ongoing cyberconflict in which cooperation is useless. To avoid the latter, Healey suggests that government engagement and international agreement are critical. Likewise, Dr. Irving Lachow details the lessons that policymakers can glean from the Stuxnet malware that infected and effectively shut down Iran’s nuclear program. In an ominous warning, Lachow asserts that future Stuxnet attacks are inevitable and current efforts to protect critical networks, including air-gapping, are “necessary but insufficient” to stop them. Indeed, as John Mills notes in his later piece, the threat is magnified in cyberspace because the actors are mainly non-state groups who act irrationally.

LOTRIONTE

Following up on these threats, Herb Lin and John Mills outline the challenges that cyberspace poses to traditional conflict frameworks. According to Lin, unlike traditional theaters of war, it is not only difficult in cyberspace to identify a particular culprit or attacker, but it is also hard to determine the threshold for an attack that would justify the use of force in retaliation. Further, it is still unclear what a state may do to respond to an attack that does not qualify as an “armed attack” under the UN Charter. In a similar vein, John Mills’ piece, entitled “Counterinsurgency in Cyberspace,” seeks to assert a four-step strategy to

International Engagement on Cyber

ceed. For instance, Tom Kellermann notes in his article that effective cybersecurity requires that private sector representatives partner with foreign and domestic governments to develop a strategic and coordinated plan. The lack of information sharing in regard to cyberattacks across sectors and countries is an impediment to securing cyberspace from malicious attacks. By collecting and sharing information on malicious actors and those who enable them to operate, states and private companies would be able to connect the dots between the cyberattacks and those behind them. In step with the previous calls for

Cyberspace is a new frontier that knows neither public-private nor international boundaries. successfully conduct counterinsurgency operations against irrational nonstate actors who inhabit cyberspace. Insurgents who conduct their operations in cyberspace because of its low cost of entry and anonymity cannot be dealt with through conventional means. Foreshadowing the work of other authors in this volume, Mills calls on national security professionals to focus more acutely on these insurgents. Cognizant of the unique nature of the cyberspace threat, the remainder of this collection outlines proposals that would deter and deny future cyberattacks. Foremost, most authors agree that an amalgam of public-private and multilateral partnerships is necessary if these efforts are to suc-

public-private partnerships, Franklin Kramer, a former Assistant Secretary of Defense for International Security Affairs, outlines a proposal that would prioritize governmental efforts toward cybersecurity problems that have national security consequences. Such prioritization, he argues, would allow for the focused use of resources and a greater likelihood of success. The lessons learned from this project could then be applied to the private sector. Similarly, in her thoughtful piece Melissa Hathaway introduces a novel American model to combat cyberthreats. For Hathaway, the United States should charge executive branch regulatory agencies, including the Security Exchange Commis[107]

INTRODUCTION: STRENGTHENING THE NORMS OF STATE RESPONSIBILITY

sion, the Federal Trade Commission, and the Federal Communications Commission with overseeing private information infrastructure protection programs and online environments. This model would in turn create a “demand curve” for more effective cybersecurity measures. Continuing this trend, Ron Plesco and Phyllis Schneck suggest a more comprehensive model for multilateral private-public alliances. Their article discusses a first-of-its-kind international collaborative effort named the National Cyber-Forensics Training Alliance (NCFTA), a non-profit corporation that facilitates collaboration between private industry, academia, and law enforcement to identify, mitigate and neutralize complex cyber-related threats. With partnership NCFTA entities in India, Canada, and Germany, the NCFTA organizes collaboration between private-sector subject matter experts (SMEs) and law enforcement officials in order to position the alliance to manage the collection and sharing of intelligence among alliance partners, other cross-sector SMEs, and law enforcement. This model, they note, has resulted in hundreds of criminal (and some civil) investigations and the prosecution of more than three hundred cyber criminals worldwide. The NCFTA has also produced more than five hundred cyber threat intelligence reports in the past three years alone. Thus, they conclude that similar cross-sector models are needed if we are to effectively share actionable and attributable intelligence to identify, mitigate, and neutralize cyber threats. In keeping with the foreign relations aspect of the Conference, Dr. [108] Georgetown Journal of International Affairs

Gao Fei of the China Foreign Affairs University elucidates China’s perspective on cybersecurity challenges and Jeffrey Carr foreshadows the challenges that cybersecurity experts in developing states will likely face in the years to come. Carr’s piece on Russia’s experience with Internet media suggests that social media networks are quickly becoming influential tools that know no national boundaries, and may pose future difficulties to cybersecurity. Similarly, Fei notes that while China’s recent economic development has spurred a rapid growth in Internet access across the Chinese population, the private and public sector’s cybersecurity efforts have not kept pace. Thus, China remains among the most frequent victims of Botnet attacks in the world. Fei echoes other conference participants’ suggestions and notes China’s calls for multilateral cooperation as a key tool in the fight against cyberattacks. This call for multilateral engagement is in line with the argument proffered in Major General Koen Gijsbers’ piece. General Gijsbers explains the Netherlands’ national cybersecurity strategy and suggests that private-public partnerships, a better understanding of the nature of cyber attacks, and a renewed investment in skilled cybersecurity specialists are necessary to counter future attacks. For Gijsbers, the challenge is foremost to “develop resilient networks that are able to absorb an attack, limit its impact as much as possible, and be quickly restored to full operational capacity.” Finally, Dr. Jay Smart’s note brings a much-needed consumer perspective to the debate regarding public-private partnerships and cybersecurity policy. Smart notes the tension between the

LOTRIONTE

need to share information to combat cyberthreats and one’s personal privacy rights. He posits a Privacy Assurance framework in which the security/liberty dichotomy is solved by using a black box into which information can be placed but which no person can access. Under this framework, a “black box” would sift through information streams and identify patterns of reasonably suspicious behavior that could then be acted upon by law enforcement personnel. For Smart, an approach that enables organizations to share information in a way that respects individual rights would go a long way to ease the tension

International Engagement on Cyber

between the needs to share information and to protect individual liberties. Through the conference and the articles in this issue, one can only conclude that challenges to cybersecurity are a worldwide problem that could potentially affect all cyber systems and their infrastructure – regardless of state boundaries. As the 2011 International Cyberspace Strategy noted, “Cybersecurity cannot be achieved by any one nation alone, and greater levels of international cooperation are needed to confront those actors who would seek to disrupt or exploit our networks.”15

NOTES

1 Richard A. Clark and Robert K. Knake, Cyber War: The Next Threat to National Security and What To Do About It (New York: HarperCollins Publishers, 2010), 97-101 (hereinafter Cyber War). 2 White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communication Infrastructure, May 2009, 1 (hereinafter 2009 Cyberspace Policy Review). 3 Jeffrey Carr, Inside Cyber Warfare (Sebastopol, CA: O’Reilly Media, 2010), 8. 4 White House, International Strategy For Cyberspace: Prosperity, Security, and Openness in a Networked World, May 2011 (hereinafter 2011 International Cyberspace Strategy). 5 Ibid. 3. 6 2009 Cyberspace Policy Review, iv. 7 Letter Report from the Committee, “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy,” Committee on Deterring Cyberattacks, National Research Council, 25 March 2010, 19.

8 Jack Goldsmith and Tim Wu, Who Controls the Internet: Illusions of a Borderless World (Oxford Press, 2008). 9 Thomas Kellermann, Civilizing Cyberspace. 10 Ibid. 11 Stephen Allen, “Harboring or Protecting? Militarized Refugees, State Responsibility, and the Evolution of Self-Defense,” The Fletcher School, Internet, http://fletcher.tufts.edu/praxis/archives/ xxv/XXV_article1_Allen_MilitarizedRefugees_FINAL. pdf (date accessed: 5 May 2011). 12 2011 International Cyberspace Strategy, 10. 13 Clark and Knake, Cyber War, 246. 14 Scott J. Shackelford, “State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem, Introduction,” (University of Cambridge Department of Politics and International Studies, 2010), Internet, http://irps.ucsd.edu/ assets/001/501281.pdf (date accessed: 5 May 2011). 15 2011 International Cyberspace Strategy, 21.

[ 1 0 9]

The Five Futures of Cyber Conflict and Cooperation Jason Healey The word “cyberspace” is nearly thirty years old,1 and for about as long there have been academics, theorists, and strategists thinking of how conflict will unfold in this new domain.2 As yet, though, there has been little published on what different futures may await us,3 and most writings seem to imply that cyberspace itself is relatively static when it is in fact constantly changing. Technologies are changing, and tomorrow’s cyberspace will be more mobile and cloudbased. There are also now generations of digital natives that have never known a world without the Internet. The way they experience cyberspace – especially security, privacy and collaboration – will be very different from previous generations. If cyberspace is different and younger generations use it differently, then it is possible, or even likely, that conflict and cooperation in cyberspace will be different than experienced or even envisioned by Cold War-era thinkers and strategists. Accordingly, this essay is a think piece that examines five broad, possible futures of cyber conflict and cooperation over the next ten to twenty years to ensure that we are not planning to fight – or trying to avoid – yesterday’s conflict. These five possible futures are Status Quo, Conflict Domain, Balkanization, Paradise, and Cybergeddon.4

[110] Georgetown Journal of International Affairs

Jason Healey is the Director of the Cyber Statecraft Initiative of the Atlantic Council, focusing on international cooperation, competition, and conflict in cyberspace. His previous experiences include an Air Force intelligence officer, Goldman Sachs vice president, and director at the White House. He is a board member of Cyber Conflict Studies Association and lecturer in cyber policy at Georgetown University.

HEALEY

International Engagement on Cyber

Table 1: Comparison of Possible Future of Cyber Conflict and Cooperation Status Quo

Conflict Domain

Balkanization

Paradise

Cybergeddon

Description

Cyberspace conflict tomorrow looks like that of today: high levels of crime and espionage but no massive cyber wars

Cyberspace has range of human conflict just like air, land, space, maritime domains

Cyberspace has broken into national fiefdoms: there is no one Internet, just a collection of national internets

Cyberspace is an overwhelmingly secure place, as espionage, warfare, and crime have no hold

Cyberspace, always unruled and unruly, has become a “failed state” in a near-permanent state of disruption

Relationship of Offense and Defense

Offense > Defense

Unknown/Depends

Defense >> Offense

Offense >> Defense

Intensity and Kind of Conflict

As today: bad, but not catastrophic, crime and spying

Full range of conflict: crime, spying, embargos, full-blown international conflict

Possibly nations blocking access to content to and from each other. May be fewer outright attacks

All conflict much reduced, though nations and other advanced actors retain some capability

Every kind of conflict is not just possible, but ongoing all the time

Intensity and Kind of Cooperation

Healthy but limited sharing on response, standards, cybercrime

To be stable, requires norms and regimes, just as in other domains

Needs international agreement to interconnect national internets

Cooperation critical (if stability depends on norms) or unneeded (if it depends on new tech)

Cooperation is either useless (as attackers always have the edge) or impossible (like trying to govern Somalia)

Stability

Relatively Stable

Relatively Stable?

Unknown/ Depends

Long-Term Stable

Long-Term Unstable

Likelihood

Moderate

High

Low

Why This is Possible

Current trend line and massive attacks have not occurred yet despite fifteen years of expectations

Other domains have generally supported range of human activity, from commerce to conflict

Countries continue to build border firewalls, which UN control of Internet could exacerbate

New technologies or cooperation could make security much easier and have been long promised

Offense continues to outpace defense as any new defensive technology or cooperation is quickly overcome

Each of these five futures is summarized in Table 1, along with an assessment of three key factors that characterize each future: how strongly the “geography” of cyberspace favors offense compared to defense, the intensity and kinds of cyber conflicts and the intensity and kinds of cyber cooperation. These five are not meant to be allinclusive or taxonomic; other futures are possible, but these five seem to cover the most interesting (and likely) grounds of conflict and cooperation.

Status Quo In a Status Quo future,

conflict and cooperation in cyberspace look much the same as today. Despite the “geography” of cyberspace favoring the offense over defense, cyberspace is generally a safe place in which to do business and communicate with others. Criminals engage in multi-million dollar heists and steal millions of people’s personal details; national foreign intelligence agencies poke and prod for military and industrial secrets; denial of service attacks are capable

[111]

THE FIVE FUTURES OF CYBER CONFLICT AND COOPERATION

of disrupting nearly any target; and militaries make plans to unleash organized cyber violence, if called upon. Yet the system remains stable overall, despite the discontent, difficulties, and disruptions. People tweet, Skype, listen to music, wander Wikipedia and play Warcraft. Businesses rely on cyber connections to produce and deliver

militaries attacking each other in cyberspace, both integrated into traditional “kinetic” operations as well as in largescale cyber-on-cyber attacks. Terrorists, in addition, will embrace the new avenues of attack, realizing that they can achieve both disruptions and headlines. There are not just “digital Pearl Harbors” and “digital 9/11s” but also digital

Cooperation in a conflict domain future will require...transparency, confidencebuilding measures, formal and informal treaties, and laws of armed conflict. their goods and services and depend on email and web presence to communicate with their clients. Governments depend on Internet-delivered services and some even have elections online. It is possible, though not likely, that our cyber future will look like the cyber past and present. Since there have been cyber experts, they have predicted that a catastrophic attack was imminent. Yet nearly two decades along, all of cyberspace’s major disruptions have been lacking in scope, duration, and intensity. Cyberwar, then, has loomed but not swooped. If it turns out that this has not been luck, but some kind of underlying stability,5 then it is entirely possible that Status Quo will be our cyber future.

“Battles of Britain,” “St. Mihiel,” and every other kind of digital conflict,6 many of which are only imagined today by science fiction writers. Cyberterror and cyberwar, which in 2011 are more hyperbole than fact, will become reality. Despite this flurry of organized and unorganized violence in cyberspace, cyberspace remains generally as stable as the air, land, space, and maritime domains. The other residents of cyberspace learn to adapt through the crime and disruptions, so the Internet remains a relatively trusted place for communications and commerce. There may be certain areas equivalent to modern-day Somalia – dangerous to be in or even near – but these “failed” regions of cyberspace are Conflict Domain If cyberspace widely known to be dangerous and most becomes a Conflict Domain, it will people can easily avoid them. Accordcontain not just the malicious actions ingly, damaging attacks are unable to and actors we see in a Status Quo cause widespread instability throughout future, but the full range of conflict we cyberspace for long periods of time. see in the other “warfighting domains” In 1995, the Air Force described of air, land, space, and maritime as just how such a conflict domain might well. It will become common to have come about (though speaking of the

[112] Georgetown Journal of International Affairs

HEALEY

wider “information realm,” similar to, but distinct from cyberspace): “Before the Wright brothers, air, while it obviously existed, was not a realm suitable for practical, widespread military operations. Similarly, information existed before the information age. But the Information Age changed the information realm’s characteristics so that widespread military operations within it became practical.”7 Thus far, in 2011, though armed forces use cyberspace to attack, defend, and spy, these missions are not yet at the scale of engaging in “practical, widespread military operations” as they are in other domains. In a future of Conflict Domain, such operations would become typical, with regular news reports of terrorist attacks taking out networked electrical power systems and military cyber strikes disrupting national communication grids. Cooperation in a Conflict Domain future will require grounding in the norms and regimes that have helped to tame conflicts in other domains: transparency, confidence-building measures, formal and informal treaties, and laws of armed conflict. Some – perhaps even most – of these norms and regimes can be borrowed directly; others will have to be adapted or invented. Conflict Domain is the most likely cyber future, and in many ways the default future. Assumedly each and every adversary in cyberspace is working to improve its capability, and many (at least organized crime groups, militaries, and terrorists) seek to be able to have long-lasting and wide-reaching effects – whether in stealing money or information or in disrupting their enemies. And so it seems that there

International Engagement on Cyber

are three scenarios in which we would not find ourselves in this future. First, cyberspace would somehow be more resilient to attacks than is currently suspected so that large-scale military operations could not easily happen, in which case we would likely be in Status Quo or Balkanization. Second, defensive techniques or technology would shift the geography strongly in favor of the defenders, putting us in Paradise. Or, finally, the attackers would operate with such impunity that our future would be Cybergeddon.

Balkanization In the Balkaniza-

tion future, different actors in cyberspace – perhaps predominantly nations – build sovereignty and borders so that there is no longer a single Internet, but a collection of smaller Internets. As expressed by one academic, “[j]ust as it was not preordained that the internet would become one global network where the same rules applied to everyone, everywhere, it is not certain that it will stay that way.”8 Such a world may seem antithetical to the interests of nation states. It is possible that the collection of national firewalls and virtual borders would be enough to partition the current Internet so that, rather than being one global network, it would become fragmented like the telephone system. Each nation has full control over its own telephone lines and comes together, through the United Nations’ International Telecommunications Union, to agree on how to exchange international traffic. In a Balkanized future, nations would find it easier to clamp down on the right of freedom of opinion and expression “through any media

[113]

THE FIVE FUTURES OF CYBER CONFLICT AND COOPERATION

and regardless of frontiers” as codified in the 1948 Universal Declaration of Human Rights.9 Some nations are already displaying a strong trend in this direction, as can be seen in an official agreement by the Shanghai Cooperation Organization (SCO), comprised of China, Russia, and Central Asian nations. In a 2008 declaration,10 the SCO – alongside other “main threats” to information security like information weapons, crime, and information terrorism – expressed their worry about the “use of the dominant position in the information space to the detriment of the interest and security of other States … [and] dissemination

er” process were supplanted by one centered on the UN – such as with the phone system – then every nation would have an equal vote, with no official voice for anyone else. This would open the possibility of allowing more repressive nations to run the Internet as they see fit. Robert Knake, then of the Council on Foreign Relations, summarized the dilemma this way: “If the current Internet is a reflection of the openness and innovation that are hallmarks of American society, the Internet of the future envisioned by Russia and China would reflect their societies – closed, dysfunctional, state-controlled, and under heavy surveillance.”11

Cyberspace might just be able to settle into long-term stability if people, organizations, and nations had the will to make different decisions and take smarter actions. of information harmful to social and political, social and economic systems, as well as spiritual, moral and cultural spheres of other States.” If CNN or Facebook are threats, then strong national firewalls cutting off other nations and blocking harmful content could be an extremely valuable tool. One way such a future might emerge is through United Nations control over core Internet functions, such as those run by the Internet Center for Assigned Names and Numbers. Currently, this group (though still partially connected to the U.S. government) uses a process in which states have a voice, as do individuals, corporations, and nonprofit groups. If this “multi-stakehold-

[114] Georgetown Journal of International Affairs

A Balkanized Internet may actually improve many of the current security problems of cyberspace, as nations would have more levers to stop all kinds of unpleasant traffic. This would of course be matched by limits on crossborder speech and commerce, however, so most Western societies would be unhappy with the resulting tradeoffs.

Paradise In the Paradise future,

cyberspace would become radically safer and more secure either through revolutionary new technologies or an accretion of small changes in technology and practices. Instead of the “geography” of cyberspace favoring the offense over the defense – as in Status Quo, Con-

HEALEY

flict Domain, and Cybergeddon – in a Paradise future we would have a cyberspace where the defense is far superior to the offense. It would simply be very difficult for most cyber actors to achieve any malicious aims. Nationstates or other very well funded and patient organizations would still be able to operate, but with greatly reduced operational flexibility, and they would not be able to threaten the long-term stability of cyberspace as a whole. The Paradise future is possible, but not likely, requiring either a tremendous number of small things to work well enough or one or two tremendously large things to work perfectly. In the past, many new technologies have been created with the goal of ensuring a secure Internet. Some of these technologies were devices (e.g., firewalls or intrusion detection or prevention appliance), and others were standards (IPSec, DNSSec) or software (hostbased behavior blockers). Though no technologies, alone or in combination with others, have delivered Paradise yet, it is certainly conceivable that it will happen in the middle future. For example, the scourge of syphilis, and countless other diseases were cured after one small discovery: Alexander Fleming’s isolation of penicillin. Perhaps an equivalent discovery to shift the balance in cyberdefenders’ favor is near. Of course, it is not just through new technology that we could smother nearly all attacks. Cyberspace might just be able to settle into long-term stability if people, organizations, and nations had the will to make different decisions and take smarter actions. Such decisions and actions might include companies, governments, and individu-

International Engagement on Cyber

als keeping their systems well patched. Also, Internet Service Providers could clamp down on denial of service attacks (or other obvious malicious traffic). It might turn out that such simple actions have a disproportionately beneficial effect: Verizon reported that out of eight hundred incidents investigated in 2010, fully 92 percent were “not highly difficult” and 96 percent could have been prevented with simple or intermediate security controls.12 Similarly, according to a survey by Arbor Networks, 27 percent of network operators do not attempt to detect outbound or crossbound attacks and, of those that do, nearly half take no actions to mitigate such attacks.13 Stopping these incidents and attacks is relatively easy and would be important first steps toward Paradise. Though efforts to deter malicious cyber actors through improved crime fighting or military-style deterrence may help to create long-term stability, they are very unlikely to do so completely on their own. There are still too many vulnerabilities and monetary incentives for crime even for a completely dedicated and resourced law enforcement community or military to counter.

Cybergeddon In Cybergeddon, the

worst future of them all, the unruliness of cyberspace has gained the upper hand, further shifting the geography so that the offense now has an overwhelming, dominant, and lasting advantage over the defense. Attackers – whether hackers, organized crime groups, or national militaries – can achieve a wide range of effects with very little input, making large-scale, Internet-wide disruptions easy and common. Every kind

[115]

THE FIVE FUTURES OF CYBER CONFLICT AND COOPERATION

of conflict is not just possible and occurring (as in Conflict Domain), but seems to be occurring all the time. Moreover, cyberspace is no longer a trusted medium for communication or commerce and is increasingly abandoned by consumers and enterprises. Worse yet, all attempts to invent new, more secure technologies or standards are soon swamped by attacks as well, defying attempts to redress the balance. Cooperation among nations, or with non-government organizations, is similarly useless either because there is rampant mistrust between participants, or attackers are ubiquitous, relentless, and triumphant. CISCO, in its excellent report on “The Evolving Internet” also sees Cybergeddon as one of the possible Internet futures, calling it “Insecure Growth:” “This is a world in which users—individuals and business alike—are scared away from intensive reliance on the Internet. Relentless cyber attacks driven by wide-ranging motivations defy the preventive capabilities of governments and international bodies. Secure alternatives emerge but they are discriminating and expensive.”14 Though such a future may sound unbelievable, there is at least one similar example in other domains. The US military is already tracking twenty thousand objects in orbit (expected to triple by 2030) and this space debris problem may already be past the “point of no return.” The situation is not unstable yet but is likely to be soon when “operational satellites will be destroyed at an alarming rate, and they [will not be able to] be replaced.”15 The Cybergeddon future is fortunately not likely, but is far from

[116] Georgetown Journal of International Affairs

impossible. Perhaps all that it lacks is a continued lassitude on the part of governments and individuals, all continuing to make the easy choices rather than heed the many warnings of coming catastrophes in cyberspace.

Conclusion It is in the long-term

interests of the United States and other like-minded nations to seek a future of Paradise in cyberspace, one that is long-term stable and neutralizes all but the most cunning and determined attackers. Such a future protects American commerce and freedom of speech while still granting the U.S. Military options to use cyber capabilities to supplement or replace kinetic firepower. A Paradise future is also likely in the interest of nations that are not liberal or democratic. China will forego much of its potential international leverage and influence in a Balkanized future, as many nations might reciprocate against Chinese information blockades. Fortunately, the steps needed to create the most desirable Paradise future are largely the same that are needed to avoid the least desirable, Cybergeddon. Even more fortunately, these steps have for years been detailed by many groups, commissions, and experts, so all that is required is to find the will to implement these recommendations. These include quickly patching vulnerable or infected computers, making it difficult for attacks to transit the core networks, and engaging in dialog with international partners to find areas of common concern and mutual action. Hopefully, having recognized these possible futures will make it more likely that the world can safely navigate toward the one we desire rather than the one we currently deserve.

HEALEY

International Engagement on Cyber

NOTES

1 Having been coined by William Gibson in Burning Chrome in 1982 and popularized in Neuromancer in 1984. 2 See Winn Schwartau, Information Warfare (New York: Thunder’s Mouth Press, 1994). 3 One exception is CISCO’s excellent, “The Evolving Internet: Driving Force, Uncertainties and Four Scenarios to 2025,” 2010. This report, however, focuses primarily on technology and usage, rather than national security conflict and cooperation. 4 For a more detailed examination of particular scenarios of how offensive cyber operations might be used in a conflict, see Greg Rattray and Jason Healey, “Categorizing and Understanding Offensive Cyber Capabilities and Their Use,” Proceedings of a Workshop on Deterring Cyberattacks, National Research Council, 2010. 5 Such as if strategic disruption of cyberspace is especially hard. This might be the case if strategic attacks are particularly hard to execute or defenses are more resilient than expected. See Gregory Rattray, Strategic Warfare in Cyberspace (Cambridge: MIT Press, 2001), chapters 3 and 4, for a more detailed analysis. 6 A more complete categorization of operational possibilities for offensive cyber operations can be found in “Categorizing Offensive Cyber Operations,” by Greg Rattray and Jason Healey, in Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy, National Academies of Science, 2010.

7 “Cornerstones of Information Warfare,” Department of Defense, Internet, http://www.iwar.org.uk/ iwar/resources/usaf/iw/corner.html (date accessed: 13 May, 2011). 8 Kevin Werbach, quoted in “The future of the Internet: a virtual counter-revolution,” The Economist, (2 September 2010). 9 United Nations Universal Declaration of Human Rights, (1948) Art. 19, Internet, http://www.un.org/ en/documents/udhr/index.shtml. 10 Shanghai Cooperation Organization, “Agreement between the members of the Shanghai Cooperation Organization on Cooperation in the Field of Information Security,” 61st Plenary Meeting, December 2008. 11 Robert Knake, “Internet Governance in an Age of Cyber Insecurity,” Rep. no. 56. (New York: Council on Foreign Relations, 2010). 12 Verizon Data Breach Investigations Report, 2011, p. 3. 13 Arbor Networks, “Worldwide Infrastructure Security Report: 2010 Report”, Vol 6, pp. 15-16. 14 CISCO, “The Evolving Internet: Driving Force, Uncertainties and Four Scenarios to 2025,” 2010, p 19. 15 Quote from Marshall Kaplan, orbital debris expert, from “Ugly Truth of Space Junk: Orbital Debris Problem to Triple by 2030,” Space.com, 2011.

[117]

The Stuxnet Enigma

Implications for the Future of Cybersecurity Irving Lachow

Over the past year there has been a great deal of discussion and intrigue surrounding the Stuxnet worm—an incapacitating computer virus that wiped out nearly 60 percent of Iran’s computer network. The Stuxnet attack has far-reaching cybersecurity and policy implications, as it demonstrates that nation-states are susceptible to crippling cyber actions from other nation-states or private entities. The international community remains unsure of the source and exact purpose of the virus, but has become aware of its own significant vulnerability as a result of the attack. There are several valuable lessons that policy leaders can glean from the development and deployment of the Stuxnet worm. In order to begin a dialogue about what the virus means at a national policy level and to mitigate the risk of a similar virus attacking other infrastructures, policymakers must recognize that current security measures may not be sufficient to guard against a sophisticated cyber assault of this type. Detailed information on the Stuxnet worm is increasingly becoming publicly available, and it is likely that at least some countries and/ or organizations will attempt to copy Stuxnet’s success.

[118] Georgetown Journal of International Affairs

Irving Lachow is Principal Information Security Engineer at the MITRE Corporation. Dr. Lachow has extensive experience in both information technology and national security. He has worked for the U.S. Department of Defense, Booz Allen Hamilton, and the RAND Corporation. Dr. Lachow earned his PhD in Engineering and Public Policy from Carnegie Mellon University. He earned an AB in Political Science and a BS in Physics from Stanford University.

LACHOW

International Engagement on Cyber

Unraveling the Code: The Mys- Identifying the Perpetrators tery of Targets and Origins The first variant of Stuxnet appeared in There are three basic ways that one can attempt to discern the source of a cyber attack. The first is to focus on the technical characteristics of the malware itself. While this technique does not generally work well against sophisticated adversaries, it can often yield benefits. For example, it is sometimes possible to identify known snippets of code or to recognize coding practices used by specific parties. In addition, malware authors sometimes make mistakes that allow defenders to trace the origin of the code even if the culprits take steps to hide their tracks. A second approach is to focus on the adversary’s tactics, techniques, and procedures (TTPs). This is a more operational approach than focusing directly on the code; rather, it is focused on the process that is used by the adversary. For example, does a given adversary tend to use a specific type of email for spear phishing attacks?2 Do they tend to target certain types of organizations? Is there a periodicity to their attack patterns? By looking at these types of questions, defenders may be able to identify the source of a given piece of malware without direct technical attribution. Finally, defenders may attempt to attribute a cyber incident by looking at the strategic context surrounding the event. For example, determining Stuxnet’s targets and the intended effects of the attack might help to expose the responsible party or parties. Furthermore, analysts might be able to narrow the field of possible culprits by asking who has the capabilities and resources to launch such an attack, and who might benefit from its consequences.

June 2009 and more advanced versions showed up in the Spring of 2010. In the intervening year, dozens of companies and perhaps hundreds of people have examined the Stuxnet code and the details of the incident, and there is yet to be definitive identification of the source of the virus.3 In addition, there are still unanswered questions about the specific targets of the worm and its intended effects. One interesting clue identified by Symantec’s analysis of the code is that Stuxnet will not infect a computer if the number “19790509” is in the machine’s registry key. As it turns out, a famous Iranian Jewish businessman and philanthropist, Habib Elghanian, was executed in Tehran on 9 May 1979. Some people believe that this piece of information points to Israel as the source of the worm.4 This is certainly not enough information to assuredly locate a source, however, as the number “19790509” could just as easily refer to almost anything else, including someone’s birthday or the day that a university student was injured by the Unabomber. In addition, one must consider the possibility that the creators of the Stuxnet worm may have planted “clues” in an attempt to deliberately mislead analysts who would attempt to attribute the attack. As Symantec notes, “[a]ttackers would have the natural desire to implicate another party.”5 Another interesting observation made by several analysts is that there appears to be a difference in the style of coding used for the software that initially infects the targeted organization(s) and the software in the “payload” that deploys once

[119]

THE STUXNET ENIGMA

the malware has penetrated the organization’s defenses. This has led some to believe that Stuxnet was a collaborative effort between two developers—most commonly assumed to be the United States and Israel. Like most discussions regarding the source of Stuxnet, however, this theory has its skeptics, including Rafal Rohozinski and Jeffrey Carr.6

informed the coding of the actual malware. Stuxnet was designed to target a very specific set of programmable logic controllers (PLCs) that are only designed by two countries in the world: Finland and Iran. The malware made changes that caused targeted behaviors in the industrial equipment attached to these PLCs, which may have included

The international community remains

unsure of the source and exact purpose of the virus, but has become aware of its own significant vulnerability as a result of the attack. Key to establishing the source of Stuxnet is determining who had the technical capabilities to launch the attack. Stuxnet was a fairly sophisticated attack, and many experts feel that only a nation-state could have created and launched it. However, even this conclusion is not universally accepted. Rafal Rohozinski, Director of the Advanced Network Research Group, and defense consultant James Farwell have speculated that “a significant body of circumstantial evidence—fragments of code, relationships between individuals, and correlations in cyberspace— suggests a link between the code used by the worm and the burgeoning Russian offshore programming community.”7 In other words, they argue that cyber criminals wrote the Stuxnet code. While this is an interesting proposition, it is ultimately not compelling, since the coding itself was not the key challenge. Rather, launching this attack required very detailed intelligence gathering and planning that

[120] Georgetown Journal of International Affairs

pressure valves, water pump turbines, and nuclear centrifuges. Such a design would have required detailed technical understanding of the interaction of computer systems, industrial control systems, and Uranium enrichment processes. According to Rand Beers, Under Secretary for the National Protection and Programs Directorate at the Department of Homeland Security, “this highly complex computer worm was the first of its kind, written to specifically target mission-critical control systems running a specific combination of hardware and software.”8 Most experts agree that the kind of research, planning and coordinating required to undertake this kind of multi-stage attack against a sensitive industrial control system would most likely point to a nation-state.9 Founder and CEO of Taia, Inc., Jeffrey Carr provides an alternate theory, arguing that multi-national corporations—possibly with state backing—could have been responsible for Stuxnet. “The

LACHOW

Stuxnet malware analysis performed by Symantec, ESET, Kaspersky, Langner Communications, and Microsoft all point to a well-funded team of developers with certain unique skill sets and several months for development and testing. The obvious conclusion is that this team was sponsored by a nation state; however, certain multi-national corporations have the same or better resources than many governments. In some countries, the government has a controlling interest in the largest corporations, such as China’s ‘national champion’ companies (i.e., Huawei) or France’s majority ownership of Areva.”10 In either case—that one or more nation-states launched the attack or that multinational corporations developed and deployed it—the next logical question is: who benefitted from Stuxnet? The obvious candidates are the United States and Israel. One of the revelations from WikiLeaks, however, is the extent to which Arab nations in the Middle East are nervous about a nuclear Iran.11 Several of these countries actually urged the United States to attack Iran in order to remove what they perceived as an existential threat. Other nations that could have benefitted from a slow-down in Iranian nuclear production include China and Russia. Finally, one must consider the possibility that one country may have wanted to inflame political tensions by making it seem that another country, such as the United States or Israel, had launched a cyber attack against Iran. In analyzing Stuxnet, the purpose of the attack is also an incredibly vital source of information in the search for the perpetrators. It seems that Stuxnet was created to deploy software that

International Engagement on Cyber

would disrupt but not destroy the centrifuges that are used to enrich uranium. This points to an attacker who had detailed knowledge of centrifuge behavior. It also reveals a desire to operate “under the radar.” By impacting centrifuge production without actually destroying any centrifuges, the attacker could gain several benefits. For example, the attacker could cause the defenders to spend valuable time trying to determine the reason for the decrease in their equipment’s production. The infiltration could create uncertainty in the minds of the defenders about their ability to pull-off the complex task of enrichment. Impacting centrifuge production without destroying the centrifuges themselves could allow the attacker to linger in the target networks and systems without calling attention to his presence. Finally, in the case of Stuxnet, it is possible that the attacker wished to avoid harming any people. While it is not possible to know exactly what the purpose of Stuxnet was, it is clear that the goal was not simply to destroy a piece of equipment, and that clue does provide some interesting food for thought.

Identifying the Target Identify-

ing the possible targets of the attack would certainly shed some light on the motives and players behind the attack through a strategic analysis of the parties that would benefit most from the successful implementation of Stuxnet’s potential. However, many analysts still feel that there is insufficient evidence to identify a definite mark. For example, in September 2010 a technical director at Symantec noted that the high rate of infections in Iran (about 60 percent of

[121]

THE STUXNET ENIGMA

the total) could have been due to the fact that Iran “was less diligent about using security software to protect its systems” than other countries that had infections.12 Security expert Bruce Schneier published a blog in October 2010 that echoed this sense of uncertainty about the targets (and purpose) of Stuxnet. “We don’t know who wrote Stuxnet. We don’t know why. We don’t know what the target is, or if Stuxnet reached it.”13 Subsequent research has strengthened the case that organizations in Iran were indeed the target.14 In fact, there appears to be some consensus that the primary target appears to be Iran’s nuclear enrichment facility in Natanz, though some experts believe that the Bushehr plant was also a target.15 The most straightforward explanation for an attack aimed at Natanz and/ or Bushehr is that the software was inserted in order to slow down Iran’s

above? There is no way to be sure. This is where the challenges of “signaling” in cyberspace become apparent. In the physical world, nations and organizations have developed complex methods to send messages to one another. Such techniques were a key component of deterrence between the United States and the Soviet Union, but they also play a role in many aspects of international relations. There are no such rules for behavior in cyberspace, at least at the nation-state level. Until such rules of the road (explicit or implicit) are developed, it may be difficult for nations to correctly interpret the intent behind a given action in cyberspace. Stuxnet is a good example of such ambiguity. Interestingly, the Iranian response to Stuxnet implies that the country’s leaders did not know whom to blame for the incident, at least initially. For months after the event, the Iranian government

Stuxnet was a fairly sophisticated attack, and many experts feel that only a nationstate could have created and launched it. nuclear weapons program. There are indications that this may indeed have happened, though the overall impact appears to be minimal. This explanation may not tell the whole story though. Was Stuxnet meant to demonstrate a new capability to Iran (or to the world)? Was it meant as a threat—a “shot across the bow” intended to force Iran to stop enriching uranium? Was it retaliation for a perceived wrong (e.g. the execution of Jews by the Iranian government)? Was it all of the

[122] Georgetown Journal of International Affairs

made a point of downplaying the impact that Stuxnet had had on the country. It was only in November 2010 that Iranian president Mahmoud Ahmadinejad admitted that the worm had affected his county’s nuclear enrichment facilities. Even then, however, the government’s response was muted. Rather than making public pronouncements and using the incident to incite its followers— typical behavior when dealing with the United States and Israel—the Iranian government focused on creating a new

LACHOW

International Engagement on Cyber

cyber warfare militia.16 Only recently (April 2011) has Iran publically blamed specific parties—the United States, Israel, and Siemens (the manufacturer of the control systems that were targeted)—for using the Stuxnet worm to deliberately attack its infrastructures.17

his overall assertion is overly optimistic on two fronts. First, it assumes that adversaries would not be willing to utilize new zero-day exploits to launch Stuxnet variants.20 The Stuxnet authors used four separate zerodays, so they were obviously willing to risk exposing the novelty of these Life after Stuxnet: Preparing vectors, and copycats might very well for Zero-Day Stuxnet has been ana- be willing and able to do so as well. lyzed in detail. Motivated parties can The second assumption in Dr. find a great deal of information on the Libicki’s argument is that organizacharacteristics of the penetration vector tions will take steps to prevent known and payload, which provide them with attacks from working. Unfortunately, an operational blueprint. These coders there is ample evidence showing that could, with moderate capabilities and organizations have a difficult time stayresources, take the Stuxnet code and ing up-to-date on security patches. For simply modify it to target a different example, in Congressional testimony set of controllers. In the words of DHS in 2009, Richard Shaeffer, the DirecUnder Secretary Rand Beers, “Looking tor of Information Assurance at the ahead, the Department is concerned National Security Agency, stated that 80 that attackers could use the increasingly percent of cyber attacks were successful public information about the [Stux- because of poor configuration policies net] code to develop variants targeted and insufficient network monitoring.21 at broader installations of program- Recent data from Verizon show that the mable equipment in control systems.”18 situation may be worse; after examining Some experts do not find this line eight hundred incidents that occurred of reasoning to be compelling. For in 2010 and 2011, Verizon determined example, Dr. Martin Libicki, a senior that 96 percent of the breaches could researcher at the RAND Corporation, have been avoided through the use of has argued that we are unlikely to see simple to intermediate controls.22 It Stuxnet variants because cyber attacks should not be surprising to find that exploit specific vulnerabilities to gain the Government Accountability Office access to a targeted system. Once the has concluded that federal information attacks are discovered, the vulnerabili- technology systems remain highly vulties come to the attention of the tar- nerable to cyber threats like Stuxnet: geted organizations (and potentially “The growing threats and increasing the world), which then patch the hole number of reported incidents highand render a potential attack unsuc- light the need for effective information cessful even before it takes place.19 security policies and practices. HowWhile Dr. Libicki makes a good ever, serious and widespread informapoint that organizations may lose the tion security control deficiencies conelement of surprise when they reveal tinue to place federal assets at risk…”23 a previously unknown attack vector, Perhaps more concerning is the [123]

THE STUXNET ENIGMA

trend line: hackers are outpacing government defenders. According to Alan Paller, Director of Research at The SANS Institute: “… while the federal government has upped its defenses, the bad guys continue to outpace the rate of improvements overall…. the attackers are getting better, faster than the federal government is improving.”24 In short, attackers might not need to rely on zero-day exploits to launch a successful Stuxnet-like attack. They simply need to find a target that is not 100 percent compliant with all of its patches. Or, easier still, they can use social engineering techniques such as targeted spear phishing to gain entry into enterprise networks and then spread laterally throughout the organization in an attempt to gain access to privileged accounts and sensitive information. This approach is extremely common and is used repeatedly to infiltrate companies and governments around the world. Finally, Stuxnet’s most important lessons may not lie in its code, but rather in its demonstrated capabilities.25 Stuxnet may be viewed as a “stealth” precision weapon—a technique for anonymously targeting a specific system or organization without massive collateral damage. Stuxnet may also demonstrate the ability of attackers to either disrupt or destroy their targets, depending on their goals. It is very difficult to develop capabilities in the physical world that can provide such finegrained control over effects. In that sense, Stuxnet could prove to be hugely attractive to a wide range of actors in cyberspace, from nations to terrorists.

[124] Georgetown Journal of International Affairs

Conclusion Attributing cyber attacks

is very difficult. This is hardly a new insight, but it is sobering that so many people have analyzed Stuxnet for so long without reaching a definitive conclusion on its source. Even strategic considerations do not provide conclusive evidence on who might have launched the attack. U.S. leaders should be prepared for a situation in which they have to respond to a serious cyber attack on key assets without knowing the malware’s source or purpose. Stuxnet demonstrates the futility of relying on existing security systems such as air-gapping—which segregates important computer systems from networks that are connected to the Internet—to prevent sophisticated and wellplanned malware attacks. Although this defense is a common way to keep malware out of critical systems and to keep sensitive information within a secure enclave, the effectiveness of Stuxnet shows that even the most secure infrastructures are vulnerable to infiltration. In the words of Farwell and Rohozinski: “The ability to jump air-gap systems is old news.”26 Policymakers need to assume that even air-gapped networks will be breached, and must have technologies, processes, and training in place to deal with this eventuality. Generalizing this point further, one can reasonably conclude that current efforts focused on preventing Stuxnetlike attacks are necessary, but are insufficient in accomplishing that end. It is vital for policymakers to assume that a cyber attack will someday disrupt or destroy one of the nation’s critical infrastructures and to think through what actions are needed to mitigate the impacts of such a scenario. Given

LACHOW

the tremendous uncertainty and stress that are likely to accompany such a scenario, as well as the range of complex legal and political factors that will need to be considered, policymakers must start thinking through response options now, rather than trying to develop and assess such options onthe-fly during a crisis. These response options must encompass measures to minimize the damage caused by a Stuxnet-like attack, to enable rapid reconstitution of necessary capabilities, and to take actions (if desired) against the perpetrators of such an attack. While it may prove nearly impossible to prevent a Stuxnet-like attack from succeeding in the future, there are existing cybersecurity practices and technologies that, if implemented in a well-architected and self-reinforcing

International Engagement on Cyber

manner, can greatly improve an organizationâ&#x20AC;&#x2122;s ability to prevent, detect, and respond to these types of cyber incidents. For example, policymakers can support efforts to buttress fundamental aspects of security that often receive short-shrift in budgetsâ&#x20AC;&#x201D;examples include software assurance, resilience, and data protection. They can also encourage experimentation with promising technologies and practices, such as virtualization and run-time memory forensics. By raising the level of sophistication needed to pull-off Stuxnet-like cyber attacks, the U.S. government, working with industry, can reduce the number of possible adversaries who could execute such operations now and in the future. That alone would be a major achievement.

[125]

THE STUXNET ENIGMA

NOTES

1 The author would like to thank the following people for their reviews of previous drafts of this article: James Lewis, Gary McGraw, Tom Paonessa, Marion Michaud and Gary Gagnon. The views presented in this article are solely those of the author; they do not represent the positions of the reviewers, the MITRE Corporation or its sponsors. 2 Spear-phishing is a technique used to insert malware on a target system. Phishing refers to the use of fake email messages or documents to lure people into taking some action, such as clicking on a link or opening a document, that will infect their system. Spear-phishing is a targeted version of phishing that is designed to increase the likelihood that a target will take the desired action and become infected. For example, a spear-phishing email may be designed to look like it is coming from a trusted source such as a co-worker or friend. 3 One of the most detailed reports comes from Symantec. See Nicolas Falliere, Liam O. Murchu, and Eric Chien, W32.Stuxnet Dossier Version 1.4, (Mountain View, CA: Symantec Corporation, 2011). 4 Further evidence backing this conclusion can be found in the fact that there is a file directory name in the code that references the word “myrtus,” which is the Latin name for “Myrtle,” which is another name for Esther, the Jewish queen from Persia who saved her people from being massacred. However, the term “myrtus” could refer to “my remote terminal units”—devices that interface between physical objects and supervisory control and data acquisition (SCADA) systems such as those that are widely used in infrastructure facilities like power plants and nuclear processing facilities. 5 Falliere, W.32.Stuxnet Dossier, p. 14. 6 See Michael Joseph Gross, “Stuxnet Worm: A Declaration of War,” Vanity Fair, Internet, http:// www.vanityfair.com/culture/features/2011/04/stuxnet-201104 (date accessed: 29 April 2011). 7 James P. Farwell and Rafal Rohozinski, “Stuxnet and the Future of Cyber War,” Survival, 53, no. 1 (2011): 23-40. 8 Statement for the Record of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, Before the United States Senate Select Committee on Intelligence, 3 March 2011, Washington, DC. 9 See Wikipedia for a summary of the many sources concluding that one or more nation-states were involved in the development of Stuxnet. 10 Jeffrey Carr, Dragons, Tigers, Pearls and Yellowcake: Four Stuxnet Targeting Scenarios, (Taia Global, 2010), 12. 11 Ariel Zirulnick, “Wikileaks reveals 5 Arab countries concerned about Iran,” Christian Science Monitor Online, Internet, http://www.csmonitor.com/World/

[126] Georgetown Journal of International Affairs

Middle-East/2010/1129/WikiLeaks-reveals-5-Arabcountries-concerned-about-Iran/Saudi-Arabia (date accessed: 29 April 2011). 12 Elinor Mills, “Stuxnet: Fact vs. Theory,” CNET News, Internet, http://news.cnet.com/830127080_3-200185alisa.pojani@citi.com30-245.html (date accessed: 29 April 2011). 13 Schneier on Security, 7 October 2010, Internet, http://www.schneier.com/blog/archives/2010/stuxnet.html. 14 See Falliere, W.32.Stuxnet Dossier. 15 Wikipedia has a nice summary of the various perspectives surrounding this issue. See http:// en.wikipedia.org/wiki/Stuxnet. 16 Kevin Fogarty, “Iran responds to Stuxnet by expanding cyberwar militia,” IT World, Internet, http://www.itworld.com/security/133469/iranresponds-stuxnet-expanding-cyberwar-militia (date accessed: 29 April 2011). 17 Saeed Kamali Dehghan, “Iran accuses Siemens of helping launch Stuxnet cyber-attack.” Guardian.co.uk., Internet, http://www.guardian.co.uk/ world/2011/apr/17/iran-siemens-stuxnet-cyberattack (date accessed: 29 April 2011). 18 Beers testimony. 19 See Thomas E. Ricks, “Libicki: Stuxnet isn’t all that it’s cracked up to be—but then neither is cyberwar, really,” Foreign Policy Online, Internet, http://ricks. foreignpolicy.com/posts/2011/03/03/libicki_stuxnet_isnt_all_its_cracked_up_to_be_but_then_neither_ is_cyberwar_really (date accessed: 23 April 2011). 20 A “zero-day” piece of malware is one which has not been seen before and for which specific antivirus or intrusion detection signatures are not yet available. 21 Kim Zetter, “Senate Panel: 80 Percent of Cyber Attacks Preventable,” Threat Level, Internet, http://www.wired.com/threatlevel/2009/11/cyberattacks-preventable (date accessed: 29 April 2011). 22 Verizon, 2011 Data Breach Investigations Report (Verizon, 2011): 3. 23 Gregory C. Wilshusen, Cybersecruity: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats, Testimony Before the Committee on Homeland Security, House of Representatives. Washington, DC: General Accountability Office, June 16, 2010. 24 Angela Moscaritolo, “Rise in federal cyberattacks partly due to better monitoring,” SC Magazine, Internet, http://www.scmagazineus.com/rise-in-federal-cyberattacks-partly-due-to-better-monitoring/ article/199387/ (date accessed: 29 April 2011). 25 This discussion is partly based on “The meaning of Stuxnet” in The Economist, October 2-8, 2010, 14. 26 Farwell and Rohozinski, “Stuxnet and the Future of Cyber War,” p. 25.

Responding to Sub-Threshold Cyber Intrusions A Fertile Topic for Research and Discussion Herbert Lin

From a national security perspective, adversarial actions in cyberspace can span a broad range. Some actions, such as foreign hackers defacing U.S. government websites, are clearly of a different level of significance than cyber espionage directed by foreign governments against U.S. military contractors, or destructive Trojan horses implanted in the cyber infrastructure of the electric power grid.

Armed Conflict, Use of Force, and Armed Attack

Many discussions regarding cyber policy as it applies to adversarial actions in cyberspace—both inside and outside the U.S. government—are focused on understanding the nature of the threshold that separates situations involving “armed conflict,” “use of force,” and “armed attack” (AC/UoF/AA) from situations not involving these terms. These three contexts frame different types of adversarial actions, and accordingly, would require distinct responses from U.S. governmental bodies. International law distinguishes two types of armed conflicts (AC): international armed conflicts and noninternational armed conflicts. The former refers to aggression between two or more nation-states, while the latter describes conflicts among governmental forces and non-

Dr. Herbert Lin is chief scientist of the Computer Science and Telecommunications Board, National Research Council of the National Academies. In the past several years, he has directed major studies on cybersecurity research, cyberattack as an instrument of U.S. policy, and cyber deterrence. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee. He received his doctorate in physics from MIT.

[ 1 27 ]

RESPONDING TO SUB-THRESHOLD CYBER INTRUSIONS

governmental armed groups, or among nongovernmental armed groups only.1 Scholars of international law debate the precise meaning of the term, but the International Committee of the Red Cross claims that prevailing legal opinion on the topic cites international armed conflicts as “exist[ing] whenever there is resort to armed force between two or more states, regardless of intensity, outcomes, or duration of the conflict,” and non-international armed conflicts as “protracted armed confrontations that reach a minimum level of intensity…[i]n addition, the parties involved in the conflict must show a minimum [level] of organization.”2 The second situation, the use of force

diplomatic relations.” In addition and based largely on historical precedent, nations appear to agree that unfavorable trade decisions, space-based surveillance, boycotts, espionage, and economic and political coercion, do not rise to the threshold of a “use of force,” regardless of the scale of their effects. Finally, adversarial actions can take the form of an armed attack (AA). Article 51 of the UN Charter provides that “[n]othing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace

Today, actions against a computer system or network can generally take two forms: cyber attacks and cyber exploitations. (UoF), is not entirely clear under international law, and may not include a wide range of seemingly adversarial actions. Article 2(4) of the United Nations Charter prohibits nations from using “the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”3 The Charter, however, does not formally define the terms “use of force” or “threat of force,” although Article 41 specifically excludes from the definition of “the use of armed force” the “complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication, and the severance of

[128] Georgetown Journal of International Affairs

and security.”4 As in the case of “use of force,” there is no formal definition of “armed attack.” Most analysts, however, would argue that “armed attack” is likely to include declared war, occupation of territory, naval blockade, or the use of armed force against territory, military forces, or civilians abroad. Understanding the nature of the threshold separating these three situations serves two important purposes. First, in the event that an adversarial action occurs against the United States or its interests, a judgment that the action is above this threshold would enable the United States to act in a manner that is less constrained than would be the case if the action were below this threshold. (Of course, such

LIN

International Engagement on Cyber

a judgment would not require that the United States necessarily must act in a less constrained manner—only that it had more rights to do so.) Second, understanding this threshold shapes the government’s freedom of action under normal (i.e., nonwartime) circumstances. Specifically, even in the absence of overt hostilities, the United States may itself wish to undertake various offensive activities to further its own interests. Even so, the United States may not wish to cross the armed conflict threshold. A prerequisite for not crossing that threshold is knowing both where that threshold is and what considerations are relevant to crossing it.

sary computer systems and networks unavailable or untrustworthy, and therefore less useful to the adversary. Cyber exploitation refers to the use of actions and operations—perhaps over an extended period of time— to obtain information resident in or transiting through adversary computer systems or networks, information that would otherwise be kept confidential. Cyber exploitations are usually clandestine and are conducted with the smallest possible intervention that still allows extraction of the information sought.5 They do not seek to disturb the normal functioning of a computer system or network from the user’s point of view, and the best cyber-exploitation is one that a user never notices. Adversarial Actions in CyberThe technological underpinnings and space Admittedly, U.S. policymak- associated operational considerations ers faced the challenge of determining for cyber attacks and cyber exploitations appropriate responses to different types are quite similar. Both cyber attacks of conflict long before computers came and cyber exploitations require there to into existence. It is fair to say, however, be a vulnerability in the targeted comthat the first attempts at understand- puter system in order to be successful. ing the meaning of these terms did not Furthermore, both require access to account for the possibility of adversarial that vulnerability, as well as a payload actions occurring in cyberspace. Today, to execute. In a non-cyber context, a actions against a computer system or vulnerability might be a lock that is easy network can generally take two forms: to pick on a filing cabinet, and access cyber attacks and cyber exploitations. would be an available path for reaching Cyber attack refers to the use of the cabinet. From an intruder’s perdeliberate actions and operations—perspective, access to a filing cabinet locathaps over an extended period of time— ed on the International Space Station to alter, disrupt, deceive, degrade, or would pose a very different problem destroy adversary computer systems from that posed by the same cabinet if or networks, or the information and/ it were located in an office in Washingor programs resident in or transit- ton D.C. The payload is responsible ing these systems or networks. Such for executing the action taken by the effects on adversary systems and net- intruder after the lock is picked. For works may also have indirect effects on example, the intruder could destroy the entities coupled to or reliant on them. papers inside, or he could alter some A cyber attack seeks to make adver- of the information on those papers.

[ 1 29]

RESPONDING TO SUB-THRESHOLD CYBER INTRUSIONS

The primary technical difference between a cyber attack and a cyber exploitation is in the nature of the payload to be executed; a cyber attack payload is destructive whereas a cyber exploitation payload acquires information non-destructively. In addition, since a cyber exploitation should not be detected, the operation must minimally disturb the normal operating state of the targeted computer. In other words, the intelligence collectors need to be able to maintain a clandestine presence on the adversary computer or network despite the fact that information exfiltrations provide the adversary with opportunities to discover that presence.

tion, have fallen short of any plausible threshold for “armed conflict,” “use of force,” or “armed attack. For example, Deputy Secretary of Defense William J. Lynn III recently argued in an article published in Foreign Affairs that the theft of intellectual property may be the most significant cyber threat that the United States will face over the long term, even if it is less dramatic than threats to critical national infrastructure (actions that would arguably cross AC/UoF/AA thresholds). Furthermore, espionage is not regarded as a legitimate casus belli; that is, it is not covered under current international laws regarding armed conflict and war. Even though Responses to Adversarial certain forms or instances of espionage Actions in Cyberspace The pos- may be more harmful to the national sibility of adversarial actions in cybersecurity of the United States than traspace does create some unique issues ditional “acts of war,” there is no founthat may require different responses dation under international law to use than those involving the use of kinetic force in responding to such espionage. instruments. (See Table 1) With respect The United States has a long histo the AC/UoF/AA threshold, however, tory of exercising its options under when U.S. decision makers operate conditions of overt hostilities, and a in circumstances below the threshold— well-developed policymaking appara-

As a general rule, responses to cyber in-

trusions require some degree of attribution, although the certainty of attribution need not necessarily meet the “beyond a reasonable doubt” standard in all cases. wherever it may be—they are dealing primarily with issues of policy rather than law. Today, all or nearly all of the adversarial actions taken against the United States in cyberspace, including both cyber attacks and cyber exploita-

[130] Georgetown Journal of International Affairs

tus to determine how to exercise its options if and when such conditions should arise in the future. In this regard, options for offensive action in cyberspace are simply a part of the complete range of options available to

LIN

International Engagement on Cyber

TABLE 1: A COMPARISON OF KINETIC AND CYBER OPERATIONS Kinetic Operations Cyber Operations • Space of conflict often separate from civilians

• Space of conflict is often where civilians live and work

• Offense – defense technologies often in rough balance

• Offense generally beats defense, given enough time.

• Attribution to adversary assumed

• Attribution hard, slow, uncertain

• Capabilities of non-state actors relatively small

• Capabilities of non-state actors relatively large

• Significance of distance large

• Significance of distance minimal

• National boundaries important

• National boundaries irrelevant

• Clear lines between attach and spying as security threats

• Attack and spying hard to distinguish

• Effects reasonably predictable

• Effects hard to predict or control

Current international law, formulated largely in a world where kinetic action was the only forceful action possible, recognizes national borders, as well as the difference between actions involving the use of kinetic weapons and those involving espionage, and the difference between national and non-national parties. Distance also matters when planning kinetic actions, whereas adversarial actions in cyberspace are not nearly as constrained by distance. The target of an adversarial action generally cannot determine if the action is intended as an attack or for espionage. National boundaries are highly porous in cyberspace, and non-national parties can conduct actions with effects that are comparable to what nations can accomplish.

U.S. national security decision makers. There is no comparable history for understanding how to respond to adversarial offensive cyber operations, either as an attack or for exploitation—under conditions that fall short of armed conflict, use of force, or armed attack,6 and as a result there is a distinct lack of analysis and a paucity of knowledge regardin the scope, nature, and degree of appropriate options for responding to cyber intrusions. As a general rule, responses to cyber intrusions require some degree of attribution, although the certainty of

attribution (i.e., the likelihood that the perpetrators are correctly identified) need not necessarily meet the “beyond a reasonable doubt” standard in all cases. Once attribution is established, policymakers and other stakeholders can take a range of actions to counter or mitigate the effects of a cyber intrusion. At the most basic level and even without attribution, system operators can effect immediate or near-immediate changes in the defensive posture of the affected computer or network. An installation subjected to intrusion may shut off unnecessary services,

[ 1 31 ]

RESPONDING TO SUB-THRESHOLD CYBER INTRUSIONS

drop traffic, or install harmful patches. Changes in defensive posture, however, do not generally impose a cost on the intruder. In any event, many measures that would be implemented during or after an intrusion are likely to be actions that probably should have been taken before the intrusion. Another option is to call upon law enforcement officials to seek out and arrest cyber criminals. In the aftermath of a cyber attack, law enforcement officials generally undertake investigations to identify and prosecute those responsible for the cyber intrusion. But such investigations often take a long time, during which the perpetrators can continue their attack and the victim of the cyber intrusion has no recourse or relief. It is also significant that law enforcement resources to investigate cyber crime are limited compared to the number of cyber intrusions that they would have to address. Consequently, the victim of a cyber crime may not have access to law enforcement actions for some time after the intrusion is reported. Diplomacy presents a wide range of response options for the U.S. government, assuming that a nation-state party can be associated with the perpetrator. For example, in the aftermath of the Google incident, Secretary of State Hillary Clinton called for the Chinese government to investigate the allegations of Chinese intrusions into Google computers. From time to time, the United States issues demarches to various nations, recalls an ambassador for consultations, and breaks diplomatic relations. Such responses, and many more like them, are available to government officials depending on the seriousness with which the United States

[132] Georgetown Journal of International Affairs

might view a given cyber intrusion. Diplomatic responses can sometimes be facilitated if two nations are parties to an agreement that commits them to take certain actions or to refrain from taking other actions. For example, the Council of Europe Cybercrime convention obligates signatories to respond promptly in the event that certain cyber actions originate in their national territories. A signatoryâ&#x20AC;&#x2122;s failure to do so would constitute a breach of its obligations, and would provide a natural opening for another nation to complain diplomatically. Economic and trade sanctions are a time-honored economic response to the behavior of a given nation, and present another, more severe response to cyber intrusion. Sanctions are often much more effective when other nations agree to participate, but under some circumstances, sanctions can be imposed unilaterally with non-trivial effect. Sanctions, however, are not the only possible economic response. Examples of other feasible responses include actions that affect foreign currency, and overt assistance to domestic corporations to help them to compete against foreign companies. Depending on the nature and scope of the cyber intrusion, kinetic and nonkinetic military responses may be another option for the U.S. government. Further, not all military responses must involve the use of kinetic force. For example, the United States has deployed Airborne Warning and Control System (AWACS) aircraft (which are unarmed) to various conflict regions in times of tension as visible signs of U.S. commitment and resolve. Military forces, moreover, are sometimes used to support law enforcement actions, as illustrated by the use, in part, of the U.S.

LIN

military in Operation Just Cause (the invasion of Panama) to arrest General Noriega for drug trafficking. In addition to military action, covert action is also possible when the United States wishes to conceal its involvement in an operation from the domestic or foreign public. U.S. responsibility for some putatively covert actions, however, is widely known. Covert action sometimes involves the use of kinetic force, but not always. Channeling funds to opposition groups favored by the United States, for example, can be considered covert action as well. Finally, cyber intrusions could be countered with cyber responses. In principle, either military or intelligence community assets could undertake cyber responses, and both could use cyber attacks or cyber exploitation. Moreover, responses could, in principle, be directed against any appropriate targets â&#x20AC;&#x201D; the appropriate target set, however, may not necessarily be limited to cyber targets under the direct control of a foreign government. As noted above, the issue of attribution to a responsible political entity looms large in most responses. The necessary level of attribution need not be obtained through technical or forensic analysis alone, and non-technical information can sometimes be combined with technical information to yield more precise attribution than that which would be possible in the absence of such combination. Further, the perpetrators of cyber intrusions sometimes make mistakes, which can yield information that victims can use in attributing responsibility. Apart from the issue of attribution, other problems abound in determining an appropriate response to a given cyber

International Engagement on Cyber

intrusion. For example, how and to what extent, if at all, should the United States make clear to an adversary that a given response, whatever it may be, is indeed a response to a specific cyber intrusion? In the worst case, the United States may compromise intelligence sources and methods by merely acknowledging that it knows of a specific intrusion. The United States may also lose some degree of covertness or clandestineness by the very act of announcing its response. A final consideration is that private-sector entities (e.g., companies in the defense industrial base or companies that are part of critical national infrastructure, such as electric power, transportation, finance, and telecommunications) will sometimes be the target of (or conduit for) adversarial actions in cyberspace. For some of the response categories above (e.g., changes in defensive posture, cyber responses, economic actions), a targeted privatesector entity may have a non-negligible response capability and a certain selfinterest in exercising that capability. Under current domestic law and policy, however, private-sector entities are much more circumscribed in their freedom of action than the government is.

Areas for Research Given the foregoing as background, research in this area could usefully address a number of issues. First, researchers could develop a taxonomy of cyber intrusions that fall below AC/UofF/AA thresholds in otherwise peacetime conditions. At the more intense and serious end of intrusions, this taxonomy would entail analysis of where the threshold for each should be. The taxonomy would be helpful at the lower end as well, where [ 1 33]

RESPONDING TO SUB-THRESHOLD CYBER INTRUSIONS

intrusions of various types occur all the time. Characterizing the scope, nature, and significance of different categories of below-threshold intrusions would help to orient policymakers in making decisions under these circumstances, and working through a number of examples of intrusions in each category would help to flesh out what the various categories might imply. A second topic for researchers is the development of a taxonomy of responses to cyber intrusions that fall below the AC/UoF/AA threshold in otherwise peacetime conditions; such a taxonomy might be based on the descriptions of response options described above. Each category in the taxonomy might be accompanied by a description of the actions that might be entailed in that category, the legal authorities that might be needed to exercise the response, and the operational capabilities needed to execute the response. Illustratively mapping potential responses to possible intrusions would add significantly to the value of such research. For every category of cyber intrusion, a set of possible options could be identified and the pros and cons of those options discussed. Analysis could also consider the nature and extent of the international legal and regulatory regime necessary to enable responses should they be deemed desirable from a policy perspective. In addition, but only if possible, the mapping could address the scope and nature of evidence needed in order to take each type of responsive action. For example, launching a cyber attack in response to an intrusion would likely require a greater degree of evidence than would be required for changing defensive postures. [134] Georgetown Journal of International Affairs

Finally, research could consider the nature and extent of private-sector responses to cyber intrusions and how, if at all, such responses might factor into and/or be coordinated with government responses. Analysis under this category could also consider the nature and extent of the domestic legal and regulatory regime necessary to enable private-sector responses should they be deemed desirable from a policy perspective. If possible, the mapping could also address the scope and nature of evidence needed in order to take each type of responsive action. Such action might be undertaken by the affected private-sector entity, by government agencies, or a combination of the two.

Conclusion Most of the cyber intru-

sions suffered by the United States to date fall far short of any plausible threshold for implicating international law involving “armed conflict,” “use of force,” or “armed attack,” and yet most of the scholarship in this area has been focused on intrusions that might meet or exceed such a threshold. U.S. policymakers are faced with deciding what to do in response to sub-threshold intrusions every day, and it is in understanding how the United States should respond to cyber intrusions that do not rise to AC/ UoF/AA thresholds that research may have the greatest operational impact. Such research may also have value as a vehicle for analyzing options concerning agreements with other states; research could help to assess what should or should not be prohibited or encouraged as well as the areas in which international cooperation would make sense even with parties that are not trusted. In the context of this paper, research

LIN

should be interpreted broadly. Although traditional scholarship has a critical role, conferences, symposiums, and other events are at least as important for generating discussion and debate, even if definitive or authoritative answers are not forthcoming. Such events, especially those undertaken under the auspices of neutral bodies, can help to

International Engagement on Cyber

identify new important questions, to articulate questions more precisely, and to clarify areas of difference and similarity regarding possible answers. Such measures are necessary first steps in the development of a policy consensus on how to approach what appears to be one of the most pressing and immediate problems in cybersecurity today.

NOTES

1. In addition, international law distinguishes between non-international armed conflicts in the meaning of common Article 3 of the Geneva Conventions of 1949 and non-international armed conflicts falling within the definition provided in Article 1 of Additional Protocol II. 2. International Committee of the Red Cross, “How is the Term “Armed Conflict” Defined in International Humanitarian Law?”, ICRC Opinion Paper (March 2008), Internet, http://www.icrc.org/eng/ resources/documents/article/other/armed-conflictarticle-170308.htm. 3. “Charter of the United Nations” (1945) Ch. 1, Art. 2(4). 4. “Charter of the United Nations (1945) Ch. 7, Art. 51.

5. If the requirement for stealth is met, the adversary is less likely to take countermeasures to negate the loss of the exfiltrated information. In addition, stealthiness enables one penetration of an adversary’s computer or network to result in multiple exfiltrations of intelligence information over the course of the entire operation. 6. The 2009 NRC report concluded that the United States had a wide range of options for responding to incidents in cyberspace, including dynamic changes in defensive postures, law enforcement actions, diplomacy, and economic actions, in addition to traditionally military responses such as kinetic attacks (and today cyberattacks).

[ 1 35]

Cyber Security: An Integrated Governmental Strategy for Progress Franklin D. Kramer This article was originally published as an issue brief by the Atlantic Council. No modifications were made to the content of the original version, which can be accessed at: http://www.acus.org/files/publication_pdfs/403/Cyber%20 Security-%20An%20Integrated%20Governmental%20 Strategy%20for%20Progress.pdf Cyber security has emerged as a critical challenge in an era defined by global interconnectedness and digital information. While there are multiple ongoing efforts that seek to enhance cyber security, an integrated governmental strategy to meet that challenge has only begun and has yet fully to take shape. All strategies demand recognition of risk and prioritization of resources, and cyber strategy will be no different. An effective approach to creating a risk-adjusted, prioritized cyber strategy for the U.S. government would be to focus on key national security problems, provide solutions for those problems and then use that learning to help create security in the broader cyber arenas. Such a strategy would have the additional benefit of establishing an effective allocation between those efforts where government is significantly

[136] Georgetown Journal of International Affairs

Franklin D. Kramer is Vice Chairman of the Atlantic Council Board of Directors and is a member of the Atlantic Council Strategic Advisors Group. He served as Assistant Secretary of Defense for International Security Affairs during the Clinton Administration.

KRAMER

International Engagement on Cyber

engaged in providing cyber security and the much broader area of market-generated cyber security where the private sector can provide reasonable security (although, even in this broader area, there will be value in certain kinds of appropriate governmental support).

we face as a nation.” As the statement indicates, the cyber threat is substantial. There are vulnerabilities at all levels of the cyber arena: computers themselves were designed to implement programs and manipulate data – not to provide security – and the networks were designed to transmit information, Under a national security approach to not to check its validity or safety. It is cyber security, the cyber areas for which true, of course, that, while security has the government must take key respon- been an ‘add-on’ to cyber connectivsibility are: ity, numerous security capabilities have • ensuring that the Department of been created at the hardware, softDefense (DOD) and the Intelligence ware and process levels, and have been Community (IC) can operate effectively applied by the government, private secwhile under cyber attack, including in tor and individuals. The problem is wartime; that, despite some excellent capabilities • ensuring through effective public- and efforts, the level of security thus far private partnerships that key critical achieved is not yet adequate. Indeed, infrastructures – electric grid, finan- perhaps the most salient characteristic cial, telecommunications and govern- of cyber is the combination of its very mental – do not suffer catastrophic widespread and growing use despite the failure if attacked, and can maintain/ fact that there are ongoing substantial return to adequate service while under attacks, some with great success, against attack; and its users. • limiting espionage and exfiltration of national security information. Cyber attacks (or their threat) can be categorized in numerous ways, but As important as the foregoing are, they one profitable approach is to separate do not constitute most of the cyber attacks into two categories based on arena. However, with appropriate gov- attacker objectives: ernmental support, the private sector • those with potential national security can reduce the vulnerability of busi- consequences where the aim is to undernesses and individual citizens to cyber mine or have the capacity to undermine attack across the broad spectrum so that key capabilities, such as the military or economic, individual and social activi- the electric grid, or for espionage; and ties may make valuable use of cyber. • those with criminal objectives where the aim is to generate funds, sometime The Challenge: Reducing Cyber through selling or using data and someInsecurity times through extortion. The National Security Strategy states, “Cybersecurity threats represent one Both national security and criminal of the most serious national security, attackers possess very advanced capapublic safety, and economic challenges bilities. The general consensus is that

[137]

CYBER SECURITY: AN INTEGRATED GOVERNMENTAL STRATEGY FOR PROGRESS

it should be assumed in current circumstance that advanced attackers can succeed in getting through defenses – which makes the issues of resilience and limitations on the effects of attacks quite important. On the national security side, there have been cyber attacks in wartime (on Georgia during the conflict with Russia) and in more ambiguous circumstances (on Estonia), and there have been numerous media stories of Chinese attacks on governments (including on the United States, the United Kingdom, France, Germany and India). General Alexander, the head of Cyber Command, has publicly stated that that the Department of Defense is subject to some six million attempts per day at unauthorized intrusions, and Deputy Secretary of Defense William Lynn has said that the DOD “has not always been successful stopping intrusions” and has “experienced damaging penetrations.” On the criminal side, there is a brisk trade in criminal capabilities on the Internet. Actual losses are certainly high, including exfiltrations of intellectual property estimated in terabytes, but the unclassified data on annual losses varies by orders of magnitude from hundreds of millions to as high as an estimate of $400 billion. Finally, it is worth noting that there is not necessarily a bright line between national security and criminal objectives: the well-known attack on Google may be an exemplar of a hybrid situation.

The Proposed Strategy

As noted above, a strategic approach to cyber security would be to focus govern-

[138] Georgetown Journal of International Affairs

mental efforts, first, on limiting national security consequences and, then, to use the learning from such efforts to support cyber security in the broader arena. The technical fundamentals of providing cyber security overlap between the national security and the broader cyber arenas, and thus advances in security in one arena are valuable to all. To be sure, there are important concerns in the cyber world beyond national security matters, but the focus on national security allows for a sharpened direction both of governmental resources and legislative and regulatory efforts, as well as a clarification as to what specific results are being sought. Within the national security arena, the key requirement for an effective cyber security strategy will be to take particularized steps critical to the nature of the problem being faced. Focusing on key problem areas allows for defining achievable responses, and seeking specific results allows for a much more programmatic, metric-driven approach. While there are definitely overlaps among appropriate responses, not all steps taken in one national security arena are necessarily appropriate for another – and there are different levels of risk which may be acceptable among different areas. In addition, policy, legislative and regulatory steps may differ among different arenas, and focus allows for more granular analysis. Within this broad framework, the key strategic steps for national security cyber issues follow.

Department of Defense/ Intelligence Community

KRAMER

The DOD and IC face the issues of defending essential networks and operations and of determining how and when to use offensive capabilities. Computer Network Defense: The DOD and IC are fully aware of the problems of cyber security and the currently available techniques of detection, protection and response. This is no small matter because for the other national security problems described below – infrastructure vulnerability and espionage – the technical solutions for security are either not available or not well understood (even to the extent they are available). Current technical capabilities are not sufficient for fully adequate cyber security, but current capabilities properly provided can significantly enhance security.1 Knowledge, however, is not enough. The DOD’s cyber assets are large, including some 7 million machines and 15,000 networks. The creation of an effective technical architecture with adequate situational awareness, resilience and interoperability will be a significant challenge. In light of the significant technical capabilities of the DOD/IC, the fundamental cyber security issues faced are less knowledge about what to do than overcoming the resource, organizational and other barriers to: • designing, deploying and operating effective capabilities as widely as necessary; • training against cyber attacks; and • developing (and then deploying) better future capabilities.

International Engagement on Cyber

Deploying Capabilities: With respect to the first objective – DOD deployment of effective defensive capabilities – the key issues are scale and availability of resources. Historically, there has been a strong tendency within the DOD to enhance connectivity, but not to give as high a priority to integrating security into that connectivity. Network-centric warfare depends on embedded C4ISR – but that very capability has created an inherent vulnerability.2 How quickly to provide the resources to significantly protect DOD assets, and what level of protection to provide to different groups within the DOD, is yet to be determined. But given the conclusion that the cyber threat is both widespread and advanced, it should be expected that in a significant conflict, cyber attacks will be widely used against our forces. To protect against such attacks and avoid catastrophic failure, substantial increases in cyber defenses will be necessary. A key requirement will be to establish cyber security as a critical element in the table of organization and equipment of units at all appropriate levels, including wartime missions, capabilities, organizational structures, and mission essential personnel and equipment requirements. Effecting these requirements throughout the DOD will be a very substantial task and will require highest level efforts to ensure the budgetary resource priority that cyber security should receive as compared to the many other significant demands on DOD resources.

A related, but different issue dealt with Training: With respect to the second separately below, is integrating the use of objective – training against cyber attacks cyber offense. – the problem is at once simple yet quite difficult. Generally, under current [139]

CYBER SECURITY: AN INTEGRATED GOVERNMENTAL STRATEGY FOR PROGRESS

circumstances, use of cyber attack capabilities in skilled hands against a training force can be quite disruptive and undercuts achieving training objectives. The question becomes how to conduct necessary training – and also under potentially realistic scenarios that would include cyber – while recognizing that, in today’s wars, cyber has not yet become a significant factor with which to contend. Again, only high-level attention is likely to make progress in this arena, but as a general proposition, cyber training should be much more significantly incorporated in the training cycles. We do not want to find ourselves in the position regarding cyber that we have recently endured regarding irregular warfare in which only after years of combat has training started to catch up.

current circumstances or in gray areas where it is not clear that we are at war, and • over-classification. Wartime: In wartime, once the president has determined to use force, the use of CNA is generally subject to the same rules as the use of other weapons, which include the norms of necessity and proportionality. Other weapons’ capabilities of some similarity have been long used in wartime – electronic warfare in particular – and the military needs to integrate CNA as appropriate in strategic, operational and tactical planning across the full spectrum of warfare including conventional and irregular. Some of this planning is already ongoing, and it will be a particular task of Cyber Command, generally in support of regional commanders. In addition, because of Future Capabilities: The third objective the speed with which cyber attacks can – developing future capabilities – should take place and the potential necessity be part of a national effort discussed in wartime for very prompt responses, below. This is critical because of the there is a crucial need to develop standcurrent situation in which it is gener- ing rules of engagement that will allow ally concluded that advanced attackers commanders to take necessary steps to have very substantial capacities to pen- support wartime objectives. Moreover, etrate cyber defenses. While defeating planning and exercises are necessary to all attacks always is undoubtedly too high evaluate how best to use cyber, including a bar, defeating many more should be how to calculate effects and what limits possible as should be the development are required and/or appropriate. of resiliency capabilities which would let the DOD operate while effectively under Classification: Wartime planning and attack. implementation will be significantly enhanced if classification were signifiComputer Network Attack: Integrating cantly reduced in the cyber world. The the use of cyber offense via computer Vice Chairman of the Joint Chiefs of network attack has generated a great Staff, among many others, has elodeal of heat and little light in the DOD. quently and bluntly spoken to this issue. There are two major obstacles: While there are good reasons to highly • conflating the considerations of use classify and compartment some cyber of Computer Network Attack (CNA) matters, there is such significant overin wartime with potential use either in classification and compartmentation [140] Georgetown Journal of International Affairs

KRAMER

that planning and operational integration is overly difficult. A good deal of over-classification arises because the DOD learns threat information through the IC whose techniques are themselves highly classified and compartmented. However, cyber presents the unusual situation in which the private sector learns much (though not all) of that same information through non-classified actions (e.g., companies like Symantec, McAfee or the various Internet Service Providers such as Verizon or AT&T). A systemic effort to limit highly classified and compartmented information to the truly necessary, to allow most operational activities to be classified at the Secret level and to engage in many basic conversations at the unclassified level would significantly enhance DOD’s capacity to integrate cyber. That approach is generally used in connection with electronic warfare. Its implementation will require high-level action since resolving the DOD/IC classification interface will not be simple.

International Engagement on Cyber

lar instance to the problem at hand.

Law enforcement and forensic analysis are obviously one element of a whole of government response capability, but the more difficult issues involve responses beyond that arena. The intrusions into Google illustrate the issues. There often will need to be coordination between the government and one or more private entities. • A first level of response could be diplomatic at the bilateral level. In the Google case, for example, the Secretary of State has called for an investigation into the alleged intrusions by the Chinese government. • A second level of diplomatic response would be to consider whether an international regime could be established to limit cyber attacks. There are a great many questions in this regard. For example, if the Google attacks or others reported in the media have been directed by the Chinese government, would an international regime be helpful? The Russians have proposed a regime under Gray Areas – Less than Wartime: The United Nations auspices, but Russia is most daunting intellectual challenges in thought to have been behind attacks on cyber security concern what type and Estonia and Georgia and many cyber degree of responses are appropriate to a criminal gangs are said to have Russian cyber attack under less than wartime cir- connections – so would this be an effeccumstances. That, of course, is the situa- tive regime or just a constraint on the tion in which the United States now finds United States? Despite these very legitiitself. The severity of the attacks could mate concerns, exploration of an interincrease without there being a decision national approach seems warranted to by the President that a conflict situation determine if useful international norms had arisen and wartime-like responses might be established even if such efforts are called for. In seeking to deal with might well not end in any agreed conclusuch gray areas, the most appropriate sion. It may be that limits on criminal approach will be for the government to actions will turn out to be possible to develop a menu of responses – a whole of agree upon even if limits on nation-state government approach – which can then actions cannot be agreed. be applied as determined in the particu- • A third potential arena for response to

[141]

CYBER SECURITY: AN INTEGRATED GOVERNMENTAL STRATEGY FOR PROGRESS

cyber attacks would be economic. In the non-proliferation and the counter-terror areas, the use of economic sanctions is well-accepted. Adapting an economic sanctioning regime to the cyber arena would potentially be valuable, and it would add to the government’s available arsenal of responses. • At the fourth level, there is the potential use of either cyber or kinetic response. Kinetic responses are unlikely unless the President determined a conflict situation existed. However, it is worth noting that in certain cases, such as the 1989 intervention in Panama, the United States has used military force in support of what has included law enforcement issues (e.g., drug dealing). Moreover, in the counter-terrorism arena, both the Obama and the Bush Administrations, with the support of the Congress, have chosen to seek out adversaries by various means, including highly kinetic.

likelihood is that any particular situation has to be determined based on the specifics of the situation, it is worth noting that under the rules of war, placing naval mines in another country’s territorial seas is unlawful. Analogously, embedding potential attack capabilities or actually attacking national security structures of a country would arguably similarly authorize a cyber response if and when the President determined that would be substantively appropriate.

Distinguishing what precisely the threshold is between a wartime and less-thanwartime circumstance has gotten a great deal of attention. Often the question is put in legal terms – has an armed attack occurred under article 51 of the United Nations charter (or under article 5 of the NATO Treaty). While there are obvious legal issues, the fundamental question is a policy one. It seems extremely unlikely that any country suffering significant Cyber responses to cyber attacks (or damage because of a deliberate cyber other uses of cyber by adversaries, e.g., as attack would not deem it appropriate a method of communication or recruit- to at least consider and perhaps take ing by terrorists) could also be utilized wartime-like steps – or to put it in legal in certain circumstances. Such responses terms, to determine that it had suffered could include possibly disabling actions an armed attack. There can be uncertaken against web sites or servers from tainties as to how much damage would be which attacks or other actions were gen- deemed sufficient, but that calculus also erated. Such responses raise a variety of is true in kinetic circumstances – and it questions. One frequent issue is when also most probably would be affected by is the DOD empowered to take action analysis of intent. under U.S Code Title 10 and when would a response have to be under the There are two implications from this President’s covert action powers under conclusion. Title 50. Mostly, this issue concerns • First, it will be valuable to seek to deter compliance with Congressional direc- such a serious attack – and one step to tives – but the ultimate decisionmaker in doing that would be a declaratory policy each instance will be the President – so stating the authority and capacity of the the fundamental question will be when United States to respond fully to a cyber responses are justified. While the high attack of unacceptable consequence in a

[142] Georgetown Journal of International Affairs

KRAMER

manner and time of its choosing. • Second, it is also important to recognize that even if there is a cyber attack of consequence – sufficient to be deemed an armed attack under the UN charter – that United States’ laws and rules must govern the United States’ response – and, in particular, the relationship between the Executive Branch and the Congress. An appropriate declaratory policy, as has been used with respect to other types of potentially serious attacks, could help create a common Executive Branch-Congressional understanding. To summarize, the development of a menu of whole of government responses and appropriate doctrinal and legal analysis to support them will be a critical element of cyber security strategy.

International Engagement on Cyber

tive public-private partnerships that will enhance cyber security. Likewise, at the top of the financial industry (including the Federal Reserve, large banks and large money flows), there is also a great deal of attention to the cyber security issue, although further down the financial chain, there are significant vulnerabilities. By contrast, the federal government generally is not well-protected nor are state and local governments. Similarly, the electric grid appears highly vulnerable. Under a prioritized national security strategic approach, federal government operations and the electric grid would receive the most immediate attention, though the telecoms and the financial industry do need significant consideration.

Federal Government: For the federal government, the existence of cyber secuCyber security varies considerably among rity vulnerabilities is, in significant part, key critical infrastructures – telecom- a matter of priorities and resources. As munications, financial, governmental noted above, the existing techniques of and electric grid. With the exception of protection are well-known to at least the federal government infrastructure, some parts of the government. For the role of the government concerning example, even apart from the DOD key critical infrastructure is twofold: and IC, the Department of State has • to help develop solutions that industry developed a systematic approach that is can implement, and reasonably effective and could be used • to provide a framework that ensures by other non-DOD/IC departments those solutions are in fact adequately to help implement cyber security. The implemented. overall responsibility for the federal government lies with the Department of Or, to shorthand the point, to develop Homeland Security (DHS). The needs effective public-private partnerships. are well-recognized by DHS, and it will be valuable for DHS, working with the The major telecommunications com- DOD/IC and agencies such as State to panies which are also the key Internet generate architectural solutions to be Service Providers (ISPs) have a very good adopted by other governmental agenhandle on their capabilities and vulner- cies in order to enhance cyber security. abilities. As discussed below, these actors Steps in this regard have been taken need to be integrated further into effec- under the Comprehensive National

Key Critical Infrastructures

[143]

CYBER SECURITY: AN INTEGRATED GOVERNMENTAL STRATEGY FOR PROGRESS

Cybersecurity Initiative (CNCI) which discusses, among other matters, deployment of intrusion prevention systems, enhanced situational awareness and increased research and development. The recent draft National Strategy for Trusted Identities in Cyberspace is another step in this direction and there has been a recent White House memorandum requiring continuing monitoring as State has done. Making the CNCI and related efforts effective will depend in significant part on the White House and Cabinet Secretaries determining to apply appropriate levels of effort including resources. However, it will be very important for DHS, working with both the DOD and agencies like State, to go beyond continuous monitoring/intrusion detection and protection to generate architectural solutions to be adopted by governmental agencies in order to enhance cyber security. In this connection, another valuable, related action would be to adopt legislative changes to the Federal Information Security Management Act (FISMA), which currently focuses more on procedures rather than on security outcomes, and whose amendment (as has been proposed in the Lieberman-Collins Bill) would help create greater attention to security and the necessity of providing appropriate resources. None of these efforts will succeed unless cyber security becomes mandatory for governmental departments and agencies. Until now, a combination of less than sensible requirements and decisions not to allocate adequate resources have undermined efforts at cyber security. True accountability for meeting appropriate mandatory performance requirements is necessary, and there should be no doubt that, at the [144] Georgetown Journal of International Affairs

end of the day, improved security will require such additional resources. In addition to the steps noted, there are two important issues affecting cyber security for the federal government which go beyond priorities and resources. • The first is how to establish DHS as an effective agency in the cyber security arena. • The second is to determine, as the government interfaces both with individuals and also economic entities, how protection of civil liberties, privacy and proprietary information should be ensured – and how should that should be balanced against, or (more optimistically) integrated with, effective cyber security. On the first question of DHS development, at the simplest level there is the issue of providing adequate resources – and most particularly well-trained people. DHS will need a sufficient cadre of personnel to be an effective agency in the cyber security arena. However, it may not be easy for DHS to quickly obtain the number of highly qualified cyber security personnel that would be desirable, and a policy of assignments from other agencies would supplement DHS capabilities. Creating an overall “jointness” approach between at least the DOD/IC and DHS also would reduce future frictions on the inevitable issues of which agency will have which capacities. There are, and likely will continue to be, important questions of whether there should exist multiple capabilities (some would say “redundant” capabilities)

KRAMER

when resources are scarce, especially since creating multiple centers may add to complexity which may reduce effectiveness. To maximize use of available resources, the CNCI (and other recent decisions) provides for the DOD/IC to support the rest of the government through the Department of Homeland Security. That relationship is still maturing, as is generally acknowledged (there are different views – the negative often only expressed privately – as to how well it is developing). The issue of situational awareness particularly raises concerns for some, both with questions as to the appropriateness and/or legality of the DOD/IC engaging in cyber activity within the United States even when in support of the DHS, or – for some – whether or not DHS should undertake surveillance as is planned with the so-called “Einstein” intrusion detection and protection systems with respect to the governmental cyber security domain (.gov). Given, however, the very substantial cyber threats, the indivisibility of cyber across national boundaries, and the information and capabilities needed to meet the challenge, including the necessity of situational awareness to protect governmental networks, the best solution will be to have a domestic agency undertake domestic activities although receiving appropriate support from the DOD/IC and to establish both significant civil liberty/privacy standards to be followed in cyber activities and a robust oversight approach, which would encompass not only the Executive Branch but also including engaging both the Congress and the courts (the latter through the Foreign Intelligence Surveillance Act court). A good deal of work has taken place in these areas,

International Engagement on Cyber

but clearly structured arrangements will remain invaluable. Most particularly, there needs to be open discussion of the civil liberties/ privacy standards noted above, including clarity on ar least two questions: • First, when/how does an entity seeking to interface with the government have to provide identification/authentication. • Second, in order to protect the functioning of government and government networks, whether, how, and how much will government review non-government communications. Each of these questions is getting consideration today, but there is a highly important political component to them – and, therefore, a strong case to be made to be as open as possible with the public and for engaging with the Congress either informally or formally – as part of the decision mechanism. As a general proposition, it seems sensible for the government to be able to authenticate identity when it is providing a service or a benefit. This is the approach being followed in the recently released draft National Strategy for Trusted Identities in Cyberspace. Electric Grid: The vulnerability of the electric grid has received a good deal of attention (including, for among other reasons, the publication in China of papers on how to disrupt the U.S. grid). As noted above, this is an arena in which the infrastructure is largely in private hands, and effective solutions will depend on effective public-private partnerships. On the research and development (R&D) side, the Department of Energy (DOE) has taken various steps [145]

CYBER SECURITY: AN INTEGRATED GOVERNMENTAL STRATEGY FOR PROGRESS

including the provision of grant moneys for R&D, and certain of the DOE labs are likewise working on the vulnerability issue. The industry also has taken some first steps through the North American Electric Reliability Corporation (NERC), which recently issued its report on “High-Impact, Low Frequency Event Risk to the North American Bulk Power System” that includes a useful discussion of cyber security and the grid.

of the industry’s understandable concern about how a requirement for cyber security will affect its economics – and also its clear requirements for reliability and safety.

In broad terms, then, this electric grid issue, like ones noted above, depends on priorities and resources. There is an important additional reason why the grid deserves high-level attention: the DOD cannot function without electricDespite this, concerns remain high. ity. While there is considerable focus in Two critical questions are: the DOD at this time on that vulner• what techniques, including architec- ability, and many efforts toward off-grid tures, are necessary to protect the power power solutions, very significant vulgrid, and nerability currently exists and will con• how can/should such capabilities be tinue to exist for a long time. Further, deployed in a way that provides adequate even if the DOD made its own facilities protection taking account of both risk relatively immune to grid disruption, requirements and business consider- the Pentagon depends heavily on other ations? civilian infrastructures that themselves rely on electricity, the most obvious There are techniques that potentially being telecommunications, but also all can provide additional cyber security elements of transportation and logistics. for the power grid. Thus far, however, there are no generally accepted architec- The foregoing then raises important tural and/or specific capabilities solu- issues of legislation and regulation. The tions. A much more significant effort electric power industry is, of course, sigwould seem to be warranted, especially nificantly regulated in certain ways consince there is widespread agreement that cerning rates and connections. Howevthe grid is vulnerable, there are media er, there is no federal legislation specifireports that the grid has been penetrat- cally concerning cyber security over the ed, there are (as noted above) apparent electric grid (although the federal govresearch efforts in China (and per- ernment does have certain authorities haps elsewhere) on how to take the grid over the electrical transmission systems). down and the desire to transition to the Inasmuch as the vulnerability of the “smart grid” likely will increase vulner- electric grid presents a national security abilities unless cyber security is built in vulnerability of high consequence, there from the beginning. Government can, appears to be a strong case for legislaof course, not do this alone; there needs tion and regulation that would set a fully to be a significant public-private part- integrated framework to deal with this nership. To date, that partnership has problem. Just as the safety requirements not been built. In part, this is because for cars and the environmental require-

[146] Georgetown Journal of International Affairs

KRAMER

International Engagement on Cyber

ments limiting water and air pollution have greatly improved the national posture, legislation and regulation that created an effective requirement for cyber security for critical infrastructure like the electric grid would meet an important national need.

security actions. This would include progress on such key issues as effective cyber architectures; sharing of information on threats, vulnerabilities and responses; and combined research and development. Legislation and regulation that requires effective protection would also seem appropriate so long as While there is a strong case for regu- it takes into account the structures and lation, two important considerations needs of the industry including the need need to be taken into account. to allow for innovation, competition, • First, enhancing cyber security will and effective flexible approaches (the require costs of some consequence to Lieberman-Collins bill, noted above, the industry. Any legislation should takes this general approach). take account of that fact and allow for an appropriate return; otherwise, the Espionage and Exfiltration effort to enhance cyber security would Government and industry suffer sigface widespread resistance. nificantly from espionage and exfiltra• Additionally, a second important fac- tion by national security and business tor is the quickly changing nature of the adversaries. As noted, there are public cyber sector. Cyber looks very different estimates from government officials that today than it looked only ten years ago, the losses are measured in terabytes. The and there are good reasons to believe problems arise from a combination of that it will significantly change again in failure to deploy existing capabilities, ten years. Any regulatory scheme that is failure to follow security procedures not flexible enough to take account of and adversary capabilities that can defeat such changes would either be a failure or deployed security measures. else leave the United States with a cyber industry that would fall behind those of At the national security level, there is a other countries. good deal of attention to this problem in appropriate government agencies and So, while legislation and regulation among firms significantly connected to potentially have an important place, the the DOD and/or IC. There are capainjunction “first, do no harm” is key. bilities which can be deployed today that can be worthwhile. This again raises The considerations that inform the the issue of priorities and resources discussions of electric grid and gov- and risk-adjusted analysis. That analysis ernment vulnerabilities also relate to needs to be undertaken. But, as with the telecommunications and financial the discussion above of critical infraindustries. Without trying to repeat structure, it needs to include not only the analysis, the key effort would be to government, but also the private sector. enhance and expand existing govern- As the Google matter shows, however, ment-industry interactions to ensure even capable companies with extensively effective combined private-public cyber deployed cyber security measures are [147]

CYBER SECURITY: AN INTEGRATED GOVERNMENTAL STRATEGY FOR PROGRESS

vulnerable. Current capabilities can only go so far. As noted above, generally an advanced attacker will be able to negate currently available defenses. The fundamental question that espionage/ exfiltration raises, therefore, is whether an enhanced cyber security capability can be created. Or, to put it another way, how valuable would a significant R&D program be? If it would seem to be valuable, how should it be undertaken, including what should the division of labor be between government and the private sector (including how the government should appropriately leverage private investment)?

on their own in order to meet market demands).

The key considerations are to have an integrated view of federal cyber security R&D and to ensure that appropriate amounts are being spent on developing particular solutions. Such an R&D program should have three parts. • The first would focus on protection – can advanced techniques such as virtualization, dynamic addressing and moving targets, and tailored trustworthy spaces be developed to create much enhanced cyber security? • The second would assume, as seems entirely likely, that security will not be There are, of course, many existing perfect and will therefore focus on resilefforts. Some exist under DOD and ience – how to operate a system effecIC auspices, including efforts by the tively even though security has been Defense Advanced Research Projects breached. Agency (DARPA). Others are at DHS, • A third key element would be to develwhich has developed a cyber securi- op a systematic approach to measuring ty R&D program, and at DOE which security. One element of this would be has focused on the electric grid. The to greatly enhance the area of modeling National Academy of Sciences also and simulations to test the results of both implements a program, and there are attacks and defenses. Work is ongoing in substantial resources from the private this arena now, but it would be valuable sector, some in response to the govern- to substantially enhance these efforts. ment programs and some independent R&D. In addition to specific R&D approaches, one important, long-term approach A much enhanced R&D program to enhanced R&D would be to greatly nonetheless would be highly valuable expand education and training for cyber to improve cyber security. Such a pro- professionals. A significantly increased gram could likely profitably be divided governmental education/scholarship among the government (which could do program would be very valuable. Anothmore pure research than in the private er consideration would be whether and sector, could focus on particular types how to take advantage of the increasing of applications and could help guide number of cyber professionals being private research) and the private and trained worldwide. academic sectors (which could benefit from increased government support, but which also will undertake research [148] Georgetown Journal of International Affairs

KRAMER

International Engagement on Cyber

Reducing the Vulnerability of the government and key elements of the Private Sector and Indi- the cyber security industry, and this approach is consistent with the draft vidual Citizen National Strategy for Trusted Identities in Cyberspace and other governmental efforts. • Third, the private sector may have certain advantages over the government, particularly at the network level. Networks are run by ISPs and the ISPs in broad terms have the capacity to know a good deal of what is on their networks. ISPs and other security providers likeSuch an approach does not mean that wise have the capability to remove or the larger cyber arena will be devoid limit malware or other cyber security of improvements for enhanced cyber vulnerabilities and attack vectors. The ISPs and other security providers must security. • First, much of the capabilities cre- take into account their relationships with ated for protecting cyber are, and will their customers, and there are legislative continue to be, provided by the private limits on the degree of informationsharing ISPs and other security providsector. • Second, to the extent that the gov- ers can do which limit the effectiveness ernment develops techniques, archi- of their technical capabilities. Engaging tectures or processes, those generally the ISPs and other potential private seccan be equally utilized on the non- tor providers will be important to the governmental side. Therefore, advances overall cyber security effort; few noncreated or undertaken for government specialized entities or individuals have can be transferred to the private sector. the capacity to provide effective security Of course, whether that will be done and a widespread professional industry involves both classification, bureaucratic will be invaluable. and legitimate security issues. There always will be concerns that sharing Two legislative changes would poteninformation provides a blueprint for tially make security provided by ISPs (or getting around the protective action. other private entity) significantly more Nonetheless, a policy of generally con- effective. sidering transferring advances from the • The first would be to provide authority public sector to the private sector could to allow for information-sharing and be a critical tool in the overall devel- also a mechanism that would allow the opment of cyber security. While there sharing without compromising propriwill be some matters which will need etary and/or personal information. A to be kept classified and/or limited in possible approach in this regard would circulation, that should not mean that be to create an independent entity which no useful transfers would be possible. would undertake the information transThere already is good dialogue between fer. The recommendations thus far have been to prioritize governmental efforts toward cyber security problems that have potential national security consequences. Such prioritization, as discussed, will allow for focused use of resources and a particularized approach to problem solving which should allow for greater granularity and likelihood of solution.

[149]

CYBER SECURITY: AN INTEGRATED GOVERNMENTAL STRATEGY FOR PROGRESS

• The second legislative change would be to consider a legislative structure that would limit private liability if (and when) there was a security breach when a private entity like an ISP had undertaken to provide cyber security for its customers. The fundamental issue would be whether such an action would enhance the development of an effective cyber security industry or whether limiting liability would potentially make high standards less likely to be achieved. One important element would be only to provide protection if designated standards had been met (which would require defining standards, currently a quite difficult task). If it were determined that such an approach would be valuable, consideration could be given to a variety of techniques, including government insurance or a cap on liability or some combination of these and perhaps other techniques as well.

does not mean government abandonment of other efforts – in particular law enforcement. The FBI and other agencies will continue to have important roles in maintaining cyber security.

Finally, government focus on national security issues, as recommended herein,

The views expressed do not necessarily represent the views of the Atlantic Council.

The Conclusion

A governmental strategy for cyber security of focusing on critical national security issues, but developing through them valuable benefits for the entire cyber sector will allow the appropriate prioritization and allocation of resources necessary to make progress. The strategy itself will still require programmatic actions, including the development of key building block efforts – including technology, governmental and business processes and governance, and human resources. With appropriate effort, very significant progress can be made – and, with that, cyber’s trustworthy use substantially enhanced.

NOTES

1 An enterprise (governmental or private or even an individual) will seek to: understand the computers under its control and how they are configured and operate; ensure that communications to and from the enterprise are only between valid communicants using various identification/authentication mechanisms and rules regarding communications; provide sensors that seek to understand how/when an attack is underway (or has taken place) and to block it (using various intrusion detection/prevention devices); and

[150] Georgetown Journal of International Affairs

limit the effects of an attack through various means including the proliferation/redundancy of computers providing the same service to the enterprise, limiting exfiltration from the enterprise, reviewing computers which may or have been attacked, or periodically changing the interface with the cyber world outside the enterprise including the use of virtual computers. 2 C4ISR abbreviates the term Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance.

Criminal Public-Private Partnerships: Why Can’t We Do That? Ron Plesco and Phyllis Schneck

Botnets, Email Service Providers (ESPs), and Advance Persistent Threats (APTS), such as Night Dragon, Aurora, and Zeus/Spyeye. While the terminology and complexity of cyber crime threats and targets have changed, obfuscation and criminal return on investment (ROI) have made it necessary for corporations, policymakers, and law enforcement officials to share intelligence and utilize distributed services and infrastructure in order to effectively address cyber crimes and threats. Over the last two years, the underground black market for cyber crime has matured into a global services-based shadow economy. Threat actors— ranging from individuals in Europe to Asian organized crime (OC) groups and even nation-states—now utilize this services-based economy to perpetrate their illicit acts. Cyber criminals utilize and share a complex online infrastructure that provides a veil of obfuscation for their illicit activity. Internet Service Providers (ISPs) of organized criminal groups (Botnets) provide bandwidth; Voice over Internet Protocol (VOIP) provides difficult-to-trace telecommunications services; and criminal cloud bullet-proof hosting (BP) companies permit criminals to undertake private branch exchange (PBX) exploits and to use storage or hosting services with impunity. The services offered with-

Ron Plesco is an Information Security and Privacy Attorney and the CEO of the private-sector, federally funded National Cyber Forensics & Training Alliance.

Dr. Phyllis Schneck is Chief Technology Officer for Public Sector at McAfee, Inc., where she is responsible for the technical vision for public sector applications of security and global threat intelligence, strategic thought leadership around technology and policy in cyber security, and leading McAfee initiatives in adaptive security and intelligence in networks for critical infrastructure protection and crosssector cybersecurity.

[ 1 51 ]

CRIMINAL PUBLIC-PRIVATE PARTNERSHIPS

in this infrastructure include exploit developers and coders-for-hire who can custom tailor malware to penetrate a specific target such as a specific business network, operating system, or mobile device for APT or other criminal purposes. Virtual money laundering is offered as a service that provides wire transfer or money mule cash for a percentage fee. Similarly, shipment

vide evidence of the shadow economy’s existence in their reports as well.1 U.S. law enforcement efforts in 2009, 2010, and 2011 further confirm the criminality of this underground economy through notable arrests involving Mariposa, Zeus, Iceman, and Gonzalez.2 The profit model is tremendous for the cyber criminal, with a low barrier to entry and a high return on invest-

Over the last two years, the underground

black market for cyber crime has matured into a global services-based shadow economy. services are provided through shipment mule networks. Criminal near realtime information sharing and collaboration is offered via Internet Relay Chat (IRC), BP hosters, and DYI videos, and is enabled through criminal shareware and applications. Through the complacence or outright support of nationstate governments, organized criminal groups and other threat actors are actively engaging in a worldwide publicprivate partnership of targeted cyber crime and intelligence operations. This criminal shadow economy is well known among government agencies and private enterprises that operate in the cyber domain. It is cited and discussed in numerous cases, articles, reports and whitepapers of law enforcement agencies, antivirus companies, defense industrial bases, telecommunications companies, ISPs, and companies in the hardware and software industry. Furthermore, companies and organizations that operate in targeted sectors—such as finance, energy, oil and gas, healthcare, and pharmaceuticals—frequently pro-

[152] Georgetown Journal of International Affairs

ment. We are in a race to break this model and to make it more difficult to access our systems and information, and to create higher penalties for cyber crime. Accomplishing this task will require a confluence of policy and technology that will bring together international law and the communications infrastructure to ensure the security and resiliency of a cyber domain where effective law enforcement and criminal prosecution are possible.

The National Cyber Forensics & Training Alliance – a Partnership to Combat Cyber Crime As the private and public sectors attempt to combat crime in the cyber domain’s criminal underground economy, the need to develop attributable, actionable intelligence for mitigation and targeting is paramount. This goal may only be achieved through the formation and utilization of private-public cyber intelligence alliances. A strong alliance between the private and public sectors is very important, as there are currently

PLESCO & SCHNECK

many models in which entities that are led and funded by the private sector are achieving measurable mitigation and attribution results. Several successful sector-specific models currently exist, such as the Information Sharing and Analysis Centers (ISACs)—namely, the Financial Services ISAC and the Research and Education Networking ISAC—Shadowserver, company-led taskforces such as Microsoft, and academic-based partnerships such as those at the University of Alabama at Birmingham, the University of Oregon, and Georgia Institute of Technology. The only international cross-sector model for combating cyber crime that currently exists is the National Cyber Forensics & Training Alliance (NCFTA). The NCFTA unites more than five hundred subject matter experts (SMEs) from the public and private sectors in a worldwide network. The NCFTA seeks to identify, mitigate, and neutralize cyber crime through international collaboration via data and people. The NCFTA is a 501(c)(3) nonprofit corporation that was incorporated in the Commonwealth of Pennsylvania in October 2002. Headquartered in Pittsburgh, Pennsylvania with an office in Fairmont, West Virginia, the NCFTA was created with the mission of facilitating collaboration among private industry, academia, and law enforcement to identify, mitigate, and neutralize complex cyber-related threats. The NCFTA’s thirty-eight member, onsite combined staff includes analysts, managers, representatives from state and local industry and law enforcement agencies, as well as agents and analysts from the Federal Bureau of Investigation, the U.S. Immigration

International Engagement on Cyber

and Customs Enforcement, and the U.S. Postal Inspection Service.3 The NCFTA regularly hosts temporary duty assignments from national and international law enforcement agencies and private sector companies,4 and is partnered with and collocated at the Internet Crime Complaint Center (IC3).5 The NCFTA promotes a streamlined and timely exchange of intelligence related to the most significant cyber threats to corporate interests and emerging cyber trends. With partnership NCFTA entities in India, Canada, and Germany, the NCFTA organizes collaboration between private sector SMEs and law enforcement officials on specific threats to best position the alliance to manage the collection and sharing of intelligence among alliance partners, other cross-sector SMEs, and law enforcement agencies. The efforts of the NCFTA have resulted in hundreds of criminal (and some civil) investigations and the prosecution of more than three hundred cyber criminals worldwide. The NCFTA has also produced more than five hundred cyber threat intelligence reports in the past three years alone. Currently, the NCFTA manages initiatives that focus on advanced persistent threats (APTs) and other cyber threats and crimes in the areas of finance, brokerage, pharmaceuticals, telecommunications, web hosting, retail, email service providers, shipment, and industrial control systems. These initiatives also focus on the black market infrastructure that supports cyber threats and crimes, including Botnets, hosting companies, malware, money laundering, and shipment/money mule recruitment. The NCFTA facilitates private-sec-

[ 1 53]

CRIMINAL PUBLIC-PRIVATE PARTNERSHIPS

tor communication and law enforcement analysis by providing a nonprofit, non-government collaboration capability that can be used by governments when permissible, and can provide chain of custody protection for data that may be used in future cyber criminal prosecution. Similar cross-sector models are needed if we are to effectively share actionable and

attributable intelligence to identify, mitigate, and neutralize cyber threats. Effectively combating cyber crime is a significant task, and requires the combined efforts of many different entities and stakeholders. In order to make the cyber domain a more secure place, the NCFTA should serve as a model for continued development in private-public partnerships.

NOTES

1 See McAfee North American Criminology Report, Mandiant M Trends Report, 2011 Verizon Data Breach Investigations Report, National Strategy for Trusted Identities in Cyberspace and Whitehouse Cyber Space Policy Review. 2 See Robert McMillan, “Spanish Police Take Down Massive Mariposa Botnet,” Computerworld, Internet, http://www.computerworld.com/s/article/9164838/ Spanish_police_take_down_massive_Mariposa_botnet (date accessed: 5 August 2011); Robert McMillan, “Criminal Hacker ‘Iceman’ Gets 13 Years,” CIO, Internet, http://www.cio.com.au/article/336200/ criminal_hacker_iceman_gets_13_years/ (date accessed: 7 August 2011); Tony Bradley, “Zeuz Botnet Bust Shows Malware is All About Money,” PCWorld, Internet, http://www.pcworld.com/businesscenter/article/206726/zeus_botnet_bust_shows_malware_is_all_ about_money.html (date accessed: 4 August 2011); Siobhan Gorman, “Arrest in Epic Cyber Swindle,” The Wallstreet Journal, Internet, http://online.wsj.com/ article/SB125053669921337753.html (date accessed: 10 August 2011).

[154] Georgetown Journal of International Affairs

3 The FBI has assigned agents and personnel at the NCFTA to develop intelligence related to threats, investigation, and mitigation of cyber crimes. 4 In 2008, 2009, and 2011 the NCFTA hosted representatives, agents, and/or delegations for various durations of time from the following Countries: Australia, Canada, England (London Metropolitan Police and SOCA), Germany (Bundeskriminalamt), India, Italy, Romania, Turkey, and the following federal agencies: IC, DHS (CERT, ICE, USSS) DoJ, DEA,,DoD/DIA, NASA, NSA, U.S. Postal, and USPIS. 5 The IC3 was established as a partnership between the FBI and the National White Collar Crime Center (NW3C) to serve as a means to receive Internetrelated criminal complaints and to research, develop, and refer the criminal complaints to federal, state, local, or international law enforcement and/or regulatory agencies for any investigation they deem to be appropriate.

Counterinsurgency in Cyberspace John R. Mills George Kennan’s 1946 long telegram from Moscow helped to explain Soviet behavior and became one of the seminal thought pieces of the Cold War. It contributed to the establishment of the theory of containment toward a peer superpower competitor. In today’s evolving world of cyber, it is not clear whether we have the decisive cyber equivalent of Kennan’s telegram – a document or source that outlines the potentialities and dangers of cyberspace and that guides policymakers in their approach to the cyber domain. Perhaps we do have the beginnings of a “cyber” long telegram, at least when it comes to dealing with rational peer actors. It could come in the form of a major article in Foreign Affairs,1 or in the recognized efforts of the National Security Staff to create a unified, total-government approach to the cyber problem set. Or, perhaps it could be the Department of States’ naming of a Cyber Advisor, or testimony espousing a cyber “Monroe Doctrine,”2 or DoD and DHS unified approaches to cyber policy, planning, and operations. While excellent sources on the topic already exist, it may take a while for our national security professionals to realize that we already have that decisive Kennan-like long telegram. One aspect of the cyber arena that is different from the Cold War era, however, is that many irrational, non-

John R. Mills is one of the lead DoD coordinators for major DoD and U.S. Government cyber efforts. He was the DoD representative to the Executive Office of the President and the National Security Council for the 2009 60-Day Cyberspace Policy Review. Mr. Mills is currently a Colonel in the U.S. Army Reserve and spent two years conducting operations and planning with the Joint Staff at the Pentagon and at Central Command.

[ 1 57 ]

COUNTERINSURGENCY IN CYBERSPACE

state actors3 have gained access to this domain because of the low cost of admission. While long-term, bi-lateral confidence-building measures can help to establish cyber norms of behavior among nation states, these measures are often irrelevant, amusing, and merely annoying to non-state participants that seek and thrive upon cyber chaos. Therefore, the real source of conflict and instability in cyberspace will more likely be these non-state threat vectors rather than peer competitors. Because of the low cost of entry and

pines at the beginning of the twentieth century, in Malaya in the 1950s-1960s, in Columbia in the late 1990s to the present, and in Iraq in 2004-2008, have all reflected this successful counterinsurgency tenet. A significant element of this strategy is to identify and exploit gaps and seams among factions struggling to be the dominant element of the insurgency. In other words, a key element involves inciting the insurgents to fight among themselves. At Georgetown University’s recent International Engagement on Cyber

A creative counterinsugency strategy

and mindset must be followed to deter and eliminate these insidious elements. anonymity – lacking any accepted international norm on trusted identities in cyber – these threat vectors can do great harm and cannot be dealt with through conventional means. A creative counterinsurgency strategy and mindset must be followed to deter and eliminate these insidious elements. Successful tenets of counterinsurgency must be updated and applied in the world of cyber. Following is a basic four-part plan to conduct counterinsurgency in cyberspace successfully.

Chaos Within the Chaos Inducing the Cyberinsurgents to Turn on Themselves Successful

counterinsurgencies have a common strategy – securing the local population and convincing them to deny sanctuary to the insurgents. Successful counterinsurgencies such as those in the Philip-

[158] Georgetown Journal of International Affairs

conference,4 Jeff Moss, the proto-typical converted cyber insurgent,5 discussed the concept of “Bug Bounties.” These bounties are rewards offered by industry and government as payment for the presentation of a “pelt,”— providing incriminating details of possession, use, or ownership of malware code. In the early days of freewheeling cyber hacking, this strategy may not have worked because of the kindred spirit and like-minded nature of hackers in generating chaos. Since that time, however, the dynamic in the hacker world has changed significantly. Many malware developers now realize that there is a significant revenue stream to be had through creation, sale, rental, leasing, etc. of malware code. Now that an enterprise can be sustained through the generation of mal-revenue, there is a disincentive to

MILLS

share or freely exchange code. It is now a valuable commodity with a significant street price, brand recognition, and reputation that must be closely nurtured and husbanded. Ergo, turning in your competition contributes to effectively reducing the competition. A variant of this sub-strategy is turning one’s competition over to the authorities for ideological reasons, as in the case of Adrian Lano,6 who was of great assistance in the identification of Private Bradley Manning, currently being held pending his trial for the Wikileaks episode. Regardless of the outcome or the ideal in question, no one group can assume to have a monolithic hold on cyber ideology. There are undoubtedly cyber counter-revolutionaries out there. It is the job of national security professionals to identify these situations and to leverage them in order to create desired nation-state outcomes in cyber. “Gameification” as part of hunting the insurgency is an interesting cyberage angle of the classic counterinsurgency strategy of fomenting dissention among insurgent elements. Dr. Jarret Brachman7 has done an excellent job of tracking and articulating the transformation of 9/11-era Al-Qaeda into a more sophisticated online variant of itself—which now uses “Gameification” techniques as recruiting tools for young Jihadists. Gameification is a cyber phenomenon in which players are given points/status/rewards for their online cyber actions and participation. There is a measurable psychological behavior in cyber once the play space is “Gameified.” Cyber counterinsurgents can also use the “Gameification” concept to recruit other Cyber Coun-

International Engagement on Cyber

terinsurgents in their hunt for Cyber Insurgents. To understand this concept of the gaming culture that has strongly bled over into cyber, watch the latest Kevin Butler PS3 ad on YouTube. If the name Kevin Butler is not immediately recognizable, the reader is out of touch with a very significant cyber market demographic and is in need of immediate “cyber hipness” training.

Unified, Total-Government Action in Cyberspace The sum-

mer of 2007 was the BC/AD tipping point of modern cyber as we know it. Not only was organized cyber aggression against Estonia in progress, but a rare occurrence happened in the American Federal Government as well. A variety of personalities, events, and forces came together in a way that is extremely difficult to replicate in the Executive Branch of the United States. Departments and Agencies with little vested interest in cooperating across title lines came together and cooperated to produce NS/HSPD-54/23,8 commonly known as the Comprehensive National Cybersecurity Initiative. Signed on 8 January 2008, CNCI touched off a brief eighteen-month “Cyber Camelot.” Led by Melissa Hathaway, this was an extraordinary period of inter-agency cooperation, dialogue, and progress. The passage of time and the drag coefficient of budget issues, domestic economic crises, and a panoply of new and expanded challenges to our mono-superpower status and national stability are consuming the available bandwidth of Department and Agency attention spans. Nevertheless, a core of dedicated professionals throughout the national security enterprise are

[ 1 59]

COUNTERINSURGENCY IN CYBERSPACE

still focused on the cyber problem set, building upon CNCI and the “Sixty Day Cyber Review” led by Ms. Hathaway. The unified action articulated in NS/HSPD-54/23 is essential to effective cyber counterinsurgency. In classic counterinsurgency, protecting the population and marginalizing disparate insurgent elements is not just a kinetic activity. Rather, it requires a totalgovernment approach that addresses basic health and welfare issues, economics, policing, judicial processes, etc. The same type of approach is necessary in cyber as well. Not everything in cyber is a nail upon which one can hit a hammer. The military and intelligence instruments of National Power are merely enablers to provide a secure environment for our true national center of gravity – our Gross Domestic Product and intellectual capital. This unified total-government approach is not just the domain of the Executive Branch; it is also closely tied to the supporting fires of congressional legislation, and therefore calls for a strong dialogue between the executive and legislative branches of the Federal Government. Furthermore, it extends beyond government to participative and constructive engage-

Whoever influences cyber standards and technology dominates the game board, which gives the U.S. Government great incentive for creating strong partnerships with these organizations.

Establishing Cyber Hygiene

Cyber hygiene is the cyber equivalent of a traffic security checkpoint in counterinsurgency operations. This of course does not refer to a Serbian Police checkpoint intended to shake down Bosnian vehicle occupants; rather, it is a functional cyber vehicle maintenance checkpoint, where one must adhere to basic security standards before “getting on the cyber road.” Such a “checkpoint” could include active and resident anti-virus programs, paid and updated anti-virus and spyware subscriptions (and evidence thereof), active firewalls with medium levels of control, some level of digital identity, and updated service packs for the appropriate operating environment. At the foundation of clean cyber hygiene—just as in classic counterinsurgency—is the need to share threat information safely and without attribution. This is a very serious matter in both real and cyber counterinsurgency operations. Just as the human

At the foundation of clean cyber hygiene ...is the need to share threat information safely and without attribution. ment with critical private-sector and association partners such as the Internet Corporation for Assigned Names and Numbers (ICANN)9 or the Security Innovation Network (SINET).10

[160] Georgetown Journal of International Affairs

intelligence source and handler must totally conceal their identities from head to foot when identifying insurgents in a lineup, so must the cyber source be able to share without fear of

MILLS

International Engagement on Cyber

physical (or share price) retribution. Thus, in order to create a safe environment for cyber hygiene during cyber counterinsurgency, establishment of a “Civil Military Operations Center”11 should be considered. This brick and mortar or virtual escrow environment will provide a safe and secure location where a cyber source can share information without fear or revelation of who said what to whom.

the Computer Science Engineer, Information Assurance Specialist, Cyber Forensics Analyst, and other similar positions. Technological innovation is part of this process and must be pursued steadfastly to ensure our technical advantage in cyberspace. It has been said that for every computer engineer we produce, threat vectors can throw ten at the cyber “barbed wire.” So, as in classical counterinsurgency, this cannot be a conflict of attrition; if it becomes Establishing the Cyber Coun- one, then the insurgent has the advanterinsurgency Training and tage. Our cyber counterinsurgents must Technology Pipeline Without be better trained, better equipped, trained cyber counterinsurgents, there and practice better operational art. is no cyber counterinsurgency program. Universities have adapted to Conclusion Near peer competitors the changing cyber environment with and rational actors have been, can be, impressive programs such as the Uni- and will continue to be dealt with. It versity of Maryland’s University College is the mortally destabilizing effect of Cybersecurity Program.12 The process irrational cyber insurgents that are the of training in cyber counterinsurgency gravest danger to our national security. should begin earlier than this, however, Cyber insurgents can easily sidestep and must be inculcated at the earliest the DIMEFIL14 instruments of national levels of education.13 Here is where the power and go straight to the high proKevin Butlers of the future are to be tein center of gravity of our nation state found. In the 1950s and 1960s it was – our GDP and intellectual capital. “cool” and impressive to be an Aero- Thus, it is the job and prerogative of space Engineer. In the present day, that national security professionals to counsame mystique should be cultivated for ter these insurgents in the cyber domain.

[ 1 61 ]

COUNTERINSURGENCY IN CYBERSPACE

NOTES

1 See William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyber Strategy,” Foreign Affairs, Internet, http://www.foreignaffairs.com/ articles/66552/william-j-lynn-iii/defending-a-newdomain (date accessed: 16 April 2011). 2 See “The Monroe Doctrine in Cyberspace,” Internet, http://www.whitehouse.gov/files/documents/cyber/Davidson%20MaryAnn%20-%20 The%20Monroe%20Doctrine%20in%20Cyberspace.pdf (date accessed: 12 April 2011). 3 Individuals, organized crime, and international terror. 4 Jeff Moss, International Engagement in Cyber. Georgetown University, Washington, DC. 29 Mar. 2011. Lecture. 5 “Obama Taps Well-Known Hacker as Security Adviser,” Fox News, Internet, http://www.foxnews. com/story/0,2933,525428,00.html (date accessed: 12 April 2011). 6 Sanjiv Bhattacharya, “Wikileaks ‘Snitch’ Hacker Faces Wrath of His Peers,” AOL News, Internet, http:// www.aolnews.com/2010/07/21/wikileaks-snitchhacker-faces-wrath-of-his-peers/ (date accessed: 10 April 2011). 7 Cronus Global, LLC, Internet, http://jarretbrachman.net/ (date accessed: 16 April 2011).

[162] Georgetown Journal of International Affairs

8 “The Comprehensive National Cybersecurity Initiative,” Internet, http://www.fas.org/irp/eprint/ cnci.pdf (date accessed: 12 April 2011). 9 Internet Corporation for Assigned Names and Numbers, Internet, http://www.icann.org/. ICANN President Rod Beckstrom and his staff have done an excellent job of articulating the strategic vision of this absolutely seminal organization; see http://www.icann. org/en/planning/ . 10 See “Security Innovation Network,” Internet, http://www.security-innovation.org/ (date accessed: 14 April 2011). 11 Civil Military Operations Center, Internet, http://www.fas.org/man/dod-101/army/unit/docs/ cdd/civil.htm (date accessed: 13 April 2011). 12 “Cybersecurity,” The University of Maryland, Internet, http://www.umuc.edu/spotlight/cybersecurity.cfm (date accessed: 13 April 2011). 13 National Initiative for Cybersecurity Education, Internet, http://csrc.nist.gov/nice/ (date accessed: 13 April 2011). 14 Diplomatic, Information, Military, Economic, Financial, Intelligence, and Law Enforcement measures.

Creating the Demand Curve for Cybersecurity Melissa Hathaway This article has been updated from an earlier version that was published by the Atlantic Council in December 2010. The original is available at: http://www.acus.org/files/publication_pdfs/403/121610_ACUS_Hathaway_CyberDemand. pdf America’s future economic and national security posture enabled by the digital revolution is at risk. If the Administration is serious about mitigating that risk by increasing the security of the nation’s information and communications infrastructure, it should exercise every instrument of power to drive us toward a better place. With little more than one year left in this Administration, there are fewer options at hand to drive progress. The President’s Fiscal Year 2012 budget is under review by Congress and maintains the status quo for funding cybersecurity programs. Further, the President’s staff continues to struggle with the complex policy formulation regarding cybersecurity and are slow to make progress on the nearly two dozen recommendations set forth in the Cyberspace Policy Review. Even if policy changes were imminent, without a funding priority underpinning the initiatives, one can expect little change. The combination of divided government and the upcoming presidential election cycle means that making progress

Melissa Hathaway led President Obama’s Cyberspace Policy Review and previously led the development of the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. She is now President of Hathaway Global Strategies LLC and Senior Advisor at Harvard Kennedy School’s Belfer Center.

[ 1 63]

CREATING THE DEMAND CURVE FOR CYBERSECURITY

on its policy priorities will be challenging for the Administration. But the President has other levers of power that he could use to raise awareness of what is at stake and set us on a better path to keep our economy and our citizens secure. They would not require congressional approval; rather, they would require political resolve and determination to make dramatic change in our risk posture during the remaining term of his Administration. The President can turn to three independent regulatory agencies for help: the Securities and Exchange Commission, the Federal Communications Commission, and the Federal Trade Commission. A strategy involving these three agencies could dramatically increase awareness of what is happening to our core infrastructure and drive an innovation agenda to strengthen our information security posture. Furthermore, this strategy could increase productivity because it will reduce the losses sustained on a daily basis by our companies and citizens.

would ask management to provide an assessment of the effectiveness of the registrant’s controls over the protection of proprietary and confidential personal data, mission critical systems, and their incident response and remediation capability in the event of an incident. An announcement could recognize that companies continue to face significant challenges in their ability to appropriately protect their computer systems, secure their proprietary, customer, and financial information, and safeguard the integrity of business and other transactions that they conduct over the Internet. Reports are released daily that reveal the industry losses that result from poor information security policies and porous infrastructures. This is an area that needs greater transparency. In fact, a recent report by the Ponemon Institute disclosed that on “an annualized basis, information theft accounts for 42 percent of total external costs, and the costs associated with disruption to business or lost productivity accounts for 22 percent of external costs.”2 Many firms are resistant to pubTurning to the Securities and lic disclosure because the details of their Exchange Commission First, compromises or breach may change the President should consider asking public perception or impact customer the Securities and Exchange Commis- confidence or competitive advantage. sion (SEC) to examine and evaluate a We may, however, be at a turning policy that would require Chief Execu- point. Since the January 2010 incident tive Officers (CEOs) to attest to the involving Google, more executives are integrity of their company’s informa- discussing the topic of information tion infrastructure.1 The SEC could security and cybersecurity. Alan Paller open a dialogue with industry through of the SANS Institute announced that an administrative notice to indus- the Google incident actually affected try informing them that the SEC will more than two thousand companies.3 consider making a rule regarding the In its January 2010 annual report filed thresholds of materiality risk in the area with the SEC, Intel Corporation disof information security. This notice closed “[w]e may be subject to intelwould inform registrants that the SEC lectual property theft or misuse, which

[164] Georgetown Journal of International Affairs

HATHAWAY

could result in third-party claims and harm our business and results of operations.” The corporation’s proactive selfdisclosure suggests that management understands the risk assumed by the business. Can the SEC facilitate other companies to assume more pro-active measures to determine if they have been penetrated and have lost information? Even beginning a dialogue on this issue may force companies to better understand the scope, adequacy, and effectiveness of the internal control structure and procedures for protecting their information assets (data and infrastructure), and to invest in risk mitigation actions. But if that is not enough, in its review of the quarterly and annual reports and other filings by registrants, the SEC staff could ask registrants whether they have adequately disclosed material risk to their company’s protection of customer data, proprietary data, and mission critical systems and infrastructures. Separately, when assessing internal controls, auditors could assess the company’s internal controls for the protection of internal financial and management data. Because if that data is not secure, how can the assessments be reliable to shareholders? There are other attendant benefits of the SEC moving in this direction. First, it will create a national, if not international, dialogue on the extent of professional criminal activity and depth of economic espionage conducted against global corporations worldwide. Board rooms around the world will turn to the CEO, Chief Information Security Officer (CISO), Chief Information Officer (CIO), and Chief Risk Officer and ask what they are doing to improve the level of security

International Engagement on Cyber

of their infrastructure and the online environment that supports it. As material risk is discovered, reporting will result in data and statistics, and will perhaps yield a quantitative picture of the economic impact of intrusions. This risk disclosure may also facilitate the identification of solutions to the root cause of the problem. Industry will demand industry-led innovation with a newfound sense of urgency to eliminate or mitigate the risk of reporting in the following year. Companies may turn to their Internet service providers (ISPs) to provide increased managed security services on their behalf. Concurrently, the security product industry will have an increased market-driven requirement to deliver products that perform with higher assurance levels. The research community will now also have access to data that will facilitate idea creation and innovative solutions that increase security across the entire architecture. The increased data that will result from such risk filings may also lead to the growth of an insurance industry that will help companies to absorb costs if they show a minimum standard of due care. While some insurance companies are beginning to offer policies that are designed to protect businesses should they fall victim to intrusions or other forms of online disaster, there presently is not enough actuarial data from which to reliably base the premium rates.4 If companies had to disclose intrusions and the associated external costs of lost intellectual property or lost productivity, insurance policies and costs would have to be more predictable. Further, as more data becomes available, a standard of care or best practices of the enterprise could emerge. This

[ 1 65]

CREATING THE DEMAND CURVE FOR CYBERSECURITY

would allow businesses to deploy capabilities in a way that provides adequate protection, taking into account risk requirements and business operations. Then, if a corporation has implemented adequate defenses of its networks or information assets and a breach does occur (e.g., illegal copying and movement of data), it could call upon its insurance plan to supplant the losses. Of course, this will lead to a discussion on liability, and may in fact unfold the legal underpinnings associated with it. This proposal may seem somewhat dramatic and industry may appeal the unintended consequences of implementing a rule in this area, citing high

nies and Internet Service Providers (ISPs) to shoulder greater responsibility in protecting our infrastructure. The major telecommunications providers and ISPs, collectively, have unparalleled visibility into global networks, which enables them with the proper tools to detect cyber intrusions and attacks as they are forming and transiting towards their targets.5 They even have the ability to tell you, as a consumer, if your computer or network as been infected. For example, Comcast is “expanding a pilot program that began in Denver last year, which automatically informs affected customers with an e-mail urging them to visit the company’s secu-

The major telecommunications provid-

ers and ISPs, collectively, have unparalleled visibility into global networks... costs and reduced competitiveness. But regulators can compare this proposal to the Sarbanes-Oxley Act of 2002, which introduced major changes to the regulation of corporate governance and financial practice as a result of identified weaknesses, as illustrated by the Enron case among others. And why should the SEC not take measures to protect the near-term economic infrastructure and long-term growth of publicly traded companies?

rity page.”6 Customers are receiving alerts, being offered anti-virus customer service, and receiving free subscriptions to Norton security software. While these companies are only beginning to offer these tools to customers as an enhanced service, they already employ sophisticated tools and techniques for countering attacks to their own infrastructure and the networks. So, why does the FCC not mandate that this service be provided more generally to clean up our infrastructure? Turning to the Federal Of course, this may open a dialogue Communications Commission or request to limit the liability for Together with the SEC option, the providing such a managed security serPresident can turn to the Federal Com- vice. Perhaps the “good Samaritan” munications Commission (FCC) to clause in the Telecommunications Act enlist private-sector talent and require of 1996 could be reviewed and applied the core telecommunications compa- to quell any concerns that may surface.7

[166] Georgetown Journal of International Affairs

HATHAWAY

Other countries are turning to their ISPs to ensure the health of their Internet backbone. For example, Germany has determined that the botnet infestation (large clusters of zombie computers, controlled by third parties, that can be used for cyber attacks) in its private infrastructure is a priority for national defense. As such, the German Federal Office for Information Security (BSI) has mandated that its ISPs track down infected machines and provide advice to users on how to clean their computers.8 Similarly, Australia’s ISPs have adopted a code of conduct designed to mitigate cyber threats and inform, educate, and protect their users from cybersecurity risks.9 The European Parliament and Council of Ministers reached an agreement on pan-European telecommunications reform that will be transposed into national laws in the coming months. It obliges the ISPs to take more responsibility for providing enhanced security services to their customers and to report all security incidents to the European Network and Information Security Agency (ENISA).10 If the FCC were to require such a service to be implemented in the United States, it would immediately reduce the proliferation of malware and infections. Such a requirement would also focus attention and innovation toward more sophisticated threats, and would establish a baseline of security for the broad infrastructure. Further, the FCC could request that there be a reporting function associated with this service. Combining their collective network visibility would support a national warning and assessment capability, and would also facilitate a real-time exchange and consolidation of threat information

International Engagement on Cyber

and response capabilities.11 The created information base would cut across all segments of the private and public sector, providing a good view as to where and how resources should be allocated. Providing this type of service should be a requirement not only for the “traditional” telecommunications carriers like AT&T, Verizon, and Sprint, but for other ISPs that provide core communications services as well, such as Comcast, Cox Communications, and Time-Warner Cable. Furthermore, companies like Google, Microsoft, and Amazon should also be required to provide this type of notification or reporting for their Cloud services. Given the rapid consumer adoption (government, industry, and citizen) of technology and the growing migration of essential services to Internetbased infrastructure, the FCC should classify broadband and other Internet services as core telecommunications. As the communications infrastructure migrates from older to newer technologies, services like energy (Smart Grid) and public safety (Voice Over Internet Protocol) will be carried over a communications network that may or may not be built to the same standards for which the traditional voice telephone system was built. The FCC realizes that it “needs a clear strategy for securing the vital communications networks upon which critical infrastructure and public safety communications rely,”12 but is that enough? Key in this debate is the issue of preserving the open Internet while allowing network operators the flexibility and freedom to manage their networks as they provide security to our core infrastructure. Another important question is whether to hold

[ 1 67 ]

CREATING THE DEMAND CURVE FOR CYBERSECURITY

wireless broadband and wireline carriers to the same standard in the coming decade, when growth will be derived by wireless services and technologies.13 Whether wireline or wireless, the FCC must take a stance and assure that carriers contribute to the security and resiliency of our communications infrastructure. After all, it is the very service for which they have assured we will have 100 percent uptime. Why not provide it with less malware, spam, and infections? It would certainly help the companies that are under constant barrage from those trying to copy their intellectual property illegally. It would help the average consumer in taking action to address a compromised PC on the

work into their homes; and companies, from the smallest local store to the largest multinational corporation, are ordering their goods, paying their vendors and selling to their customers online. However, the Internet will not reach its full potential as a medium until users feel more secure than they do today when they go online.”14 This statement illustrates why the President must turn to the Federal Trade Commission (FTC) in order to engage the public on cybersecurity. Criminal activity targeted toward consumers is a pandemic that must be addressed head on. Countries around the world are calling for action. Professional criminals are innovating and

Criminal activity targeted toward

consumers is a pandemic that must be addressed head on. home network. And it would help the government to develop a better understanding of the malicious activity that happens inside the networks and infrastructures that are key to the nation’s economic growth and security posture.

developing new ways to generate revenue from compromising our computers through scams, spam, and malicious software. They adapt to whatever information security measures are in place and rob our bank accounts, steal our credit cards, and assume our Turning to the Federal Trade identity. The Federal Trade CommisCommission As Secretary Locke sion has a broad mandate to protect recently stated, “each year, the world consumers and to educate consumers does an estimated $10 trillion of busi- and businesses on the fundamental ness online. Nearly every transaction importance of good information secuyou can think of can now be done over rity practices. The FTC believes that the Internet: consumers can pay their companies must take the appropriate utility bills from their smart phones; steps to protect consumers’ privacy and nearly 20 percent of taxpayers file information and that they should have returns electronically; people down- a legal obligation to take reasonable load movies, music, books and art- steps to guard against reasonably antic-

[168] Georgetown Journal of International Affairs

HATHAWAY

ipated vulnerabilities. The FTC maintains a website (www.OnGuardOnline. gov) that provides practical tips from the federal government and the technology industry to help consumers and businesses to guard against Internet fraud, to secure their computers, and to protect personal information. But this is not enough when it comes to making consumers aware of the risks associated with e-transactions. The FTC should consider a more proactive initiative and require all e-commerce transactions to carry a warning banner or label that informs consumers that they are assuming a risk by conducting e-transactions and that their transaction may not be secure and in fact could compromise their credentials. This can be compared to the tobacco label of “smoking is hazardous to your health” or the label on a bottle of wine that warns the consumer that “consumption of alcohol may cause health problems.” An e-transaction warning label may seem like a drastic step toward improving the ability of firms and consumers to keep pace with ever-evolving cybersecurity risks, but it will raise awareness for every person who executes on-line transactions. In 2009, online retail sales grew 2 percent to reach $134.9 billion, while total retail sales fell 7 percent in that same year.15 Analysts expect this trend to continue. At the same time, security analysts see the growth of cyber crimes increasing by more than 20 percent on a year over year basis. Consumers must be aware of the risks of e-commerce, and providers have a responsibility to disclose that they are taking all necessary measures to ensure that their infrastructure is secure, at least to a minimum standard,

International Engagement on Cyber

and that they are working diligently to protect their consumers’ transactions. The FTC might also consider establishing baseline standards for conducting trusted transactions in cyberspace, such as secure encrypted envelopes, digitally signed critical information, and secure serial numbering and checking to provide more protection for online consumer transactions. They should not prescribe technical solutions per se, but rather, principles of protection. The Commerce Department and the FTC must ensure that the Internet remains a fertile ground for an expanding range of commercial and consumer activity. They also must do a better job of raising national awareness of the forces that put consumer e-commerce activity at risk.

Conclusion If the Administration

truly seeks to make cybersecurity a national priority it must move away from the tactical programs that we have seen thus far that may militarize cyberspace (e.g., creation of Cyber Command) or may create a false sense of control, privacy, and security with the National Strategy for Trusted Identities in Cyberspace. We need real leadership and bold steps. While not everyone would embrace this proposed economic triad of regulation, these initiatives would be a catalyst for change and constitute a “shot-in-the-arm” to raise awareness and boost our national cyber defense immediately. These initiatives also could signal to the international community that the United States is serious, and with the full commitment of the nation, will solve this problem. The Administration has few tools left in the remaining year of this term. It is [ 1 69]

CREATING THE DEMAND CURVE FOR CYBERSECURITY

a bold step to turn to the independent regulatory bodies, but it is a tool that is at the sole prerogative of the President. While these proposals may face resistance, they will spark debate and dialogue, which by itself could accelerate addressing the problem responsibly. We need to raise national awareness quickly. We can no longer afford to have a polite conversation, or worse yet, remain silent. Rather, we need to be guided by the urgency and serious

ness of the situation, develop an exquisite understanding of what is at stake, and address it with good old-fashioned American ingenuity. We can create and drive an innovation agenda to strengthen our information security posture, and perhaps gain economic strength as we increase productivity. This proposal, if implemented, will create the demand curve for cybersecurity and will reduce the losses sustained on a daily basis by our companies and citizens.

NOTES

1 Melissa Hathaway published this argument in December 2010 in an Atlantic Council Issue Paper. Since the publication of her article, Senator Rockefeller sent a letter to SEC Chairman Mary Schapiro on 11 May 2011. In the letter, he asked the SEC to look into corporate accountability for risk management through the enforcement of material risk reporting. In June 2011, Chairman Schapiro said that the SEC would look into the matter. 2 Ponemon Institute, “First Annual Cost of Cyber Crime Study,” July 2010 3 Alan Paller, “SANS WhatWorks in Security Architecture Summit 2010” (Las Vegas, NV, May 2010). 4 David Briody, “Full Coverage: How to Hedge Your Cyber Risk.” INC., Internet, http://www.inc. com/magazine/20070401/technology-insurance. html (date accessed: 4 August 2011) 5 National Defense Authorization Act of 2011, H.R. 5136, 111th Congress, 2011. 6 Brian Krebs, “Comcast Pushes Bot Alert Program Nationwide” Krebs on Security, Internet, http:// krebsonsecurity.com/2010/10/comcast-pushes-botalert-program-nationwide/. 7 The Telecommunications Act of 1996. Pub. L. No. 104-104, 110 Stat. 56. The 1996 Telecommunications Act included a “good Samaritan” provision to protect Internet Service Providers (ISPs) from liability when they act in good faith to block or screen offensive content hosted on their systems. Id. § 230(c).

[170] Georgetown Journal of International Affairs

8 John Leyden, “German ISPs team up with gov agency to clean up malware.” The Register, 9 December 2009. 9 Ben Bain, “Australia Taps ISPs to Fight ‘Zombies’,” Federal Computer Week, Internet, http://fcw. com/articles/2010/06/29/web-aussie-isp-code.aspx. The code was drawn up by the Australian Internet Industry Association (IIA) in conjunction with Australia’s Broadband, Communications and the Digital Economy Department and the Attorney General’s Department. 10 “Acts adopted under the EC Treaty/Euratom Treaty whose publication is obligatory,” Internet, http://eur-lex.europa. eu/JOHtml.do?uri=OJ:L:2009:337:SOM:EN:HT ML. 11 National Defense Authorization Act of 2011, H.R. 5136. 111th Congress, 2011. 12 The United States Federal Communications Commission, “Connecting America: The National Broadband Plan” (16 March 2010). 13 Nilay Patel, “Google and Verizon’s Net Neutrality Proposal Explained,” Engadget, Internet, http:// www.engadget.com/2010/08/09/google-and-verizons-net-neutrality-proposal-explained/. 14 Commerce Department Documents and Publication. “U.S. Commerce Secretary Gary Locke Announces Initiative to Keep Internet Open For Innovation and Trade at Cybersecurity Forum,” Internet, http://www.tmcnet.com/usubmit/2010/09/23/5025949.htm. 15 U.S. Census Bureau, ‘‘Quarterly Retail E– Commerce Sales: 4th Quarter 2008,’’ U.S. Census Bureau (16 Feb. 2010).

The Whole of Nation in Cyberpower Alexander Klimburg How can nations project power in cyberspace? In light of the increasing dependency of modern society on all aspects of cyberspace, and the equally increasing breadth and scope of cyber attacks, this question is important. While it might seem obvious that an event as momentous as the advent of the cyber domain1 would demand new forms of policymaking, many Western liberal democracies have struggled to make the necessary evolutionary leap. This article seeks to demonstrate that useful models already exist for adjusting to the challenges of exercising cyberpower; namely, governments must work with a wide range of actors in a world increasingly defined by “distributed power.”2 As counterintuitive as it may seem, cyberpower policy discussions can be greatly informed by the experiences on the ground in Afghanistan and Iraq. This is especially the case as both “cyberpower”3 and so-called “Fragile States” policies have one variable in common: the importance of non-state actors. While nonstate actors are important within development, humanitarian aid, and conflict prevention, they are absolutely crucial for cyberpower, as most cybersecurity activities rely completely on non-state actors. To exercise any kind of real “Whole of Nation” cyberpower, the state ultimately must coerce, co-opt, or convince the non-state sector to cooperate.

Alexander Klimburg is Fellow and Senior Adviser at the Austrian Institute for International Affairs.

[171]

THE WHOLE OF NATION IN CYBERPOWER

The Whole of What? The terms governments first introduced the conWhole of Government, Whole of Systems, and Whole of Nation have increasingly been used in formulating public policy and are central to the discussion of national cybersecurity and cyberpower.4 Overall, they focus on the principle security demand of the twenty-first century – the need for a wide range of different actors to work together on a very wide range of security-related issues. These concepts first entered security policy discussions in the context of “peacebuilding” in conflict zones such as Afghanistan and Iraq, and are closely identified with related concepts in international security, such as “Fragile States” and “Conflict Prevention” policies.5 Originally, the “Whole of Government Approach” (“WoGA,” also known as “networked government, and, in the United Kingdom, as “joined-up government”) was conceived primarily as a cost-saving measure. Government departments were encouraged to pool resources and to deliver “more for same.” At the same time, many policymakers were starting to associate the comprehensive international failure in the Balkans in the early 1990s with a complete lack of coordination among all actors. Thus, national governments developed Whole of Government concepts in order to manage expenses and maximize efficiency. The most prevalent of these is the so-called “3D Approach” (Diplomacy, Development and Defense),6 first employed by Canadian forces in Afghanistan in 2004, and used today by many Western governments, including the United States.7 Critics of the “3D Approach” appeared soon after NATO member

[172] Georgetown Journal of International Affairs

cept. WoGA clearly made sense for governments. In contrast, civil societybased development and humanitarian aid organizations – which are often key actors in “Conflict Prevention” situations – resisted efforts to coordinate them as if they were governmental departments. These groups argued that it was equally important to encourage international horizontal cooperation of similar actors, such as those involved in humanitarian aid. These non-state actors also had their own version of the “3D Approach,” known as the “3C Approach” (“Coherent, Coordinated, and Complimentary”).8 And so was born the Whole of Systems Approach (WoSA) – a concept that placed the operational center of gravity in an international, rather than a national, setting. International organizations such as the European Union, the United Nations, and NATO naturally preferred an arrangement in which the international framework was more important than the national framework, and each has adopted its own version of WoSA as part of its organizational lingo.9 It soon became clear that WoSA had shortcomings as well. In particular, the concept left no room for private business or other non-state actors outside of the NGO community. While this was only a moderate challenge for “Fragile States” policies, the failure to incorporate private-sector actors in the process of dealing with crises was indeed a considerable challenge in other security areas, such as counter-terrorism, and in particular, national cybersecurity. The private sector and the civil society play major roles in national cybersecurity. The private sector manufactures

KLIMBURG

virtually all of the software and hardware that is used for cyber attacks, maintains most of the network infrastructure over which these attacks are conducted, and often owns the critical infrastructure against which these attacks are directed. Civil society actors – as distinct from the private sector – dominate cyberspace. Civil society actors define and

International Engagement on Cyber

In Australia, where the term has been used for a number of years in security policy documents, WoNA implies that the federal government does not control actors, but can act as primus inter pares in negotiations with provincial/ local government, the private sector, and the civil society.14 The differences between the two interpretations are

The private sector and the civil society play major roles in national cybersecurity. program the parameters (i.e. the software protocols) of the cyber-domain.10 Furthermore, they actively research cybersecurity issues and publicly speculate on cyber attacks. Together, privatesector and civil-society actors account for the bulk of what is termed “national” cybersecurity. In this context, the term “Whole of Nation Approach” is increasingly used to describe means and methods of involving these nongovernmental actors in public policy. Within a few years the term Whole of Nation has developed from complete obscurity into a widely recognized term within the National Security Council11 and other parts of the U.S. government. The definition of the term Whole of Nation varies according to its contexts – indeed, there are no accepted universal definitions. The governments of both Australia and Singapore, for example, practice the WoNA approach, but each uses the term quite differently from the other.12 The Singaporean version of WoNA is similar to old European “Total Defense” concepts, where, in a national emergency, most of the civilian space effectively comes under state control.13

significant; in the Singaporean case, the non-state sector is seen as a government capability in reserve (i.e. for civil defense), while in the Australian case the non-state sector is seen as a fully capable actor in its own right – an actor that needs to be convinced to support the views of the federal government.

An Integrated Capability Model of Cyberpower After a

decade-long debate among security policymakers, the Integrated Capability Model of Cyberpower is proposed here as a framework that is best suited to determine which capabilities can be used to deliver the various instruments of national power. The defined capabilities are segmented into three dimensions rooted in the general public policy approaches described above: Whole of Government (WoGA), Whole of Systems (WoSA), and Whole of Nation (WoNA). The first dimension, called the Integrated Government Capability, evaluates the ability of a government to deliver joint action on a host of different activities. Particularly important is the abil-

[ 1 7 3]

THE WHOLE OF NATION IN CYBERPOWER

ity to attack and defend in cyberspace, to draft common policy positions, and to share operational resources. In the United States, this capability developed relatively slowly, although in 2010-2011 a breakthrough was achieved on national crisis management with the adoption of the National Cyber Incident Response Plan (NCIRP). The NCIRP is supported by the new National Cybersecurity and Communications Integrations Center (NCCIC) and has greatly clarified roles and responsibilities in the event of a major cyber incident.15 The second dimension, called Integrated Systems Capability, assesses the ability of a nation to work through international alliances and partnerships such as NATO or the UN, through non-state horizontal partnerships such as FIRST,16 or through hybrid organizations such as ICANN.17 Like many countries in the West, the United States had been relatively slow to realize the security implications of the wide and diverse field of Internet governance, and thus has not been able to properly represent its interests or communicate

some EU member states to modify their policies on global Internet governance.18 The third dimension, called the Integrated National Capability, examines how the diverse non-state cyber elements within a particular country are used in direct support of a nationstate’s government policy. As noted above, cyber is an overwhelmingly nonstate domain – the vast majority of Internet infrastructure (hardware), software protocols and programs, and online content and services are created and maintained by the non-state sector. Western nations have not been completely oblivious to this fact. Most liberal democratic governments are investing substantial resources into Critical Infrastructure Protection programs (CIP, also called CIKR in the United States). These programs are supposed to help the “societal-critical” parts of the private sector (such as in the infrastructure operators within the energy sector) to better protect themselves from various threats, including cyber attack. Most of the cyber-weapons used for these attacks,

The importance of cooperation remains one of the most significant challenges for governments. its concerns to allies and partners. In recent years, however, the U.S. government has improved its strategic communication with the establishment of new entities such as the “Office of Cyber Affairs” in the State Department. The benefits of this new coordinated foreign policy approach were evident in the recent U.S. success in convincing

[174] Georgetown Journal of International Affairs

even when ostensibly quasi-governmental, are often built around code originally developed by cybercriminals and targeted through software vulnerabilities acquired from non-state actors. Distinguishing between non-state cyber attacks conducted on behalf of nation-states and attacks conducted completely for criminal or terror-

KLIMBURG

ist purposes is one of the essential challenges of national cybersecurity. The“cyber-veil,” – the difficulty of technical attribution of attacks in cyberspace – makes it easy for state cyberespionage attacks to be seen as cybercrime attacks, or vice versa. Of course, the vast majority of all cyber attacks are most likely conducted by non-state actors. Cybercrime, according to some calculations, is already the world’s largest illicit business, supposedly generating over 1 trillion dollars in activity in 2010 alone.19 On the other hand, there is no doubt that some non-state actors regularly conduct cyber attacks on behalf of governments, or at least with their encouragement or tacit consent. In short, the Integrated National Capability of a nation is the ability of a government apparatus to work together with non-state actors. This includes infrastructure operators, software and hardware manufacturers, independent programmers, hackers, researchers, and activists. The major challenge for governments is finding the best way to bring about this cooperation. Overall, it can be said that governments only have the ability to coerce, co-opt, or simply convince these nonstate actors to support their position. While all states can be said to apply some degree of coercion against their citizens, there is considerable variation in the methods that different governments use. Legal instruments are usually the first option. In Russia, the SORM legislation requires virtually all Internet Service Providers to install equipment that in effect allows the intelligence services to directly monitor all Internet traffic within the country.20 Other countries, includ-

International Engagement on Cyber

ing France, have made it mandatory for identified Critical Infrastructure operators to participate in their programs. Even the United States has abandoned a completely voluntary approach to the private sector within CIP, and has introduced legislation to compel cooperation where required.21 Coercion can occur outside of legal frameworks, however, and can therefore be much less transparent. This is particularly evident in Russia, where individual “hacker patriots” are presumed to have often been “instrumentalized” by the intelligence community to conduct cyber attacks on foreign nations.22 Suspected cyber criminals (international cybercrime is dominated by Russia-based actors)23 have often appeared in government advisory positions rather than being extradited.24 The Russian media, including online media, are regularly discouraged from reporting on Russian cybersecurity issues. Since many of these media outlets are owned by Kremlin-associated businessmen, they tend to practice a high degree of self-censorship as well.25 If coercion is all about implied punishment, cooption is about implied reward, bestowed through political structures designed to support the political elite. Classic examples of a cooption strategy are “youth groups” of political parties. The Putin-aligned Nashi group in Russia, for example, was implicated in the 2007 cyber attacks on Estonia.26 Quasi-volunteer military programs are also tools used to induce cooperation from non-state specialists. China has long employed this approach. The People’s Liberation Army (PLA) runs a number of different “patriot hacker” competitions every

[ 1 7 5]

THE WHOLE OF NATION IN CYBERPOWER

year, the winners of which are rewarded a yearly stipend.27 These young programmers are often acclimatized to the role of the military through structures such as the “National Defense Reserve Forces,” a thirty-year old military program – not unlike similar Cold War programs in the United States and Europe – that in effect automatically includes most computer studies students at state universities. Some of these same students are also encouraged to join Information Warfare militia units, often based in state universities and enterprises. According to one expert, the government also directly offers cash to influential “Netizens” (people of the net). Many thousands of bloggers – the absolute backbone of the Chinese online civil-society – supposedly receive regular payments from the state to remain available in case of “a national public relations emergency.”28 Given that cyberspace probably represents the greatest security concern to the CCP, these programs are very effective tools for preventing these most dangerous of potential subversives from turning against the state itself.

legislation (coercion) or commercial contracts (cooption), as is common in CIP programs. The reach of these initiatives is limited, however, and does not include most IT hardware and software companies, whose products are exploited to launch cyber attacks. Similarly, most Internet security companies, whose work is essential for dealing with the vast majority of attacks, are not included in these CIP programs. Private-sector actors can probably be motivated or co-opted by the State through commercial instruments, even if these instruments can be very expensive for the taxpayer. This approach is unlikely to work with the civil society, however, whose very ethos is quite different from the profit-seeking motives of private enterprises. The civil society is certainly an important actor; volunteer “white hat” and “grey hat” hackers have more than once prevented the collapse of the Internet and continue to do so today.29 Indeed, the Internet itself was built (and is still being built), one protocol at a time by organizations such as the Internet Engineering Task Force (IETF), whose core principle is to “reject Kings.”30 Open Source The Power to Convince Developers have produced a wide numLiberal democratic governments can- ber of highly useful tools, including the not easily co-opt or coerce the coop- freely available Linux operating system, eration of members of the civil society. which is used by many governments. The independence of these actors from Finally, individuals working in a Secucapricious government action is con- rity Trust Network regularly research sidered a core element of liberal dem- serious cyber attacks and publish their ocratic systems. At the same time, the findings.31 By lifting the “cyber-veil” importance of these non-state actors behind which attackers hide, these for national cybersecurity is consider- researchers often do what governable – indeed, there is little that can be ment is unwilling or unable to do: done in cybersecurity without the coop- point out probable culprits, includeration of these actors. Some of this ing possible state-backed attackers. cooperation can be achieved through While the attacker-attribution deliv-

[176] Georgetown Journal of International Affairs

KLIMBURG

ered by these researchers is often circumstantial and hardly good enough for cruise missiles, it is certainly good enough for CNN. By publicly delivering this type of “plausible attribution,” these actors can help to deter state-induced proxy attacks by eliminating the plausible-deniability benefit for state governments. There is some evidence that the activity of such actors has already led to a decline in some types of state-sponsored “hacker patriot” activity.32 The best defense against non-state hackers who work on behalf of foreign governments may therefore be truly independent and credible non-state researchers, rather than some type of “hacker militia.” The Whole of Nation approach to cyber is only one of the three dimensions of cyberpower. The ability of a government to coordinate its various institutions is, of course, a basic starting point for national cyberse curity. Likewise, a government must

International Engagement on Cyber

be able to collaborate with international partners in an effective manner, as many of the relevant issues can only be dealt with at a global level. The importance of cooperation with the non-state sector remains one of the most significant challenges for governments. The cooperation can sometimes be achieved through coercion, and sometimes non-state actors can be co-opted into supporting government policy. For liberal democracies, however, the only option available will often be to convince their non-state actors of the sensibility (and morality) of their government’s actions. This requires the development of true inward-focused “soft-power” capability. Given the importance of the non-state sector in all things Cyber, Western governments have little choice; exercising cyberpower will require that these governments learn to wield power with, rather than through, their non-state actors.

NOTES

1 The United States military, after many years of deliberation, accepted cyberspace as constituting a new “domain” in which warfare can occur, equal therefore to the domains of land, sea, air and space. In early 2011 government officials said that the White House was insisting that references to cyberspace as a domain be dropped, presumably as the term “domain” was deemed to have an excessive military connotation. 2 As defined by Joseph Nye, “distributed power” is power held outside of state control by other political actors, such as the civil society. Modern technology has contributed to a rise of this “distributed power.” To remain in control states must leverage their smart power, which is to combine the “hard power” of military coercion/economic dominance with the “soft power of persuasion and attraction. This means power must be wielded with others rather than over them. See Joseph S. Nye, “The Changing Nature of

World Power,” Political Science Quarterly, 106. no. 2 (1990): 177-192. Recently, Nye has sought to apply his theory of soft power to cyberpower, but he emphasizes the “external” function of soft power (towards other nations and foreign organizations) over the “internal” function (towards one’s own citizens). See Joseph S. Nye, Cyber Power (Cambridge: Belfer Center, Harvard Kennedy School, 2010). 3 Franklin Krammer, Stuart Starr and others have made an important contribution to understanding cyberpower in recent work that they completed at the United States National Defense University. They defined cyberpower as: “the ability to use cyberspace to create advantages and influence events in all the operational environments and across the instruments of power.” Cyberpower is thus defined in two ways: both as a domain of military operations and as a tool to better support the different “instruments of power” – the latter, in U.S. military jargon, is often sum-

[177]

THE WHOLE OF NATION IN CYBERPOWER

marized as DIME: Diplomatic, Informational, Military and Economic (DIME). These instruments can be best conceived as individual elements of governmental action – for example “diplomatic pressure,” or “military cyber strike,” or “export restrictions on sensitive computer equipment.” The implication is that these instruments should operate together, somewhat like an orchestra, and together should deliver the intended political outcome – for example, “stop weapons program.” See Franklin D. Kramer, Stuart H. Starr, and Larry Wentz, Cyber Power and National Security (National Defense University, 2009). 4 For an example of how the Department of Homeland Security is using the “Whole-of-X” terminology for Cybersecurity, see http://www.dhs.gov/ ynews/speeches/sp_1296152572413.shtm. 5 The Whole of Government Approach has been developed particularly in the context of the OECD’s Development Assistance Committee (DAC) Fragile States Group (FSG). See “Whole of Government Approaches to Fragile States,” DAC Guidelines and Reference Series, DAC reference document (OECD, 2006). For an overview of these and related concepts, see Kristiina Rintakoski, Mikko Autti, “Comprehensive Approach Trends, Challenges, and Possibilities for Cooperation in Crisis Prevention and Management,” seminar publication, 17 June 2008, available at http://www.defmin.fi/files/1316/Comprehensive_ Approach_Trends_Challenges_and_Possibilities_for_ Cooperation_in_Crisis_Prevention_and_Management. pdf; for “whole of nation” interpretations within counter-insurgency and counter-terrorism see other NATO concepts regarding Whole of Government, available at http://www.cgsc.edu/sams/media/WholeofWorldCollaborationFinal.pdf. 6 Robert Gabriëlse, “A 3D Approach to Securtiy and Development,” Quarterly Journal (2007). 7 Critics have often remarked that, going by budget allocations, it should really be “Defense, Diplomacy, and Development,” as money spent on “Defense” in Afghanistan is more then a factor higher than that which is spent on “Development.” 8 The OECD-DAC was instrumental in helping to develop the Whole of System Approach and 3C in particular. See “A Comprehensive Response to Conflict and Fragility,” Internet, http://www.oecd.org/dataoecd/0/27/44392383.pdf (date accessed: 7 July 2011). 9 NATO WoSA is referred to as a “Whole of the Alliance Approach,” while EU WoSA is often called the “Whole of the Union Approach.” While often used as a shorthand term for agreed-upon action among members, the term is often used to imply the need for directly assigned organizational assets (such as helicopters or the like). 10 For instance, the most important policy body within Internet governance is the Internet Cooperation of Assigned Names and Numbers (ICANN), a registered Californian non-profit organization. The technical basis of the Internet, in particular the software protocols, is provided by volunteers working

[178] Georgetown Journal of International Affairs

within the frameworks of the IEEE and IETF. The IETF is so famously anti-authoritarian that it does not even vote on technical proposals. Rather, its members “hum” to indicate their preferences. Whichever group is perceived to have “hummed louder” carries the proposal. 11 “GAO: U.S. slow to implement president’s cyber security strategy,” Homeland Security News Wire, Internet, http://homelandsecuritynewswire. com/gao-us-slow-implement-presidents-cyber-security-strategy?page=0,1 (date accessed 15 July 2011). 12 See comments made by the Singaporean Minister for National Security, available at “Continued vigilance, Whole of Nation Approach Needed for National Security: Prof Jayakumar,” Internet, http:// www.channelnewsasia.com/stories/singaporelocalnews/view/1071736/1/.html (date accessed: 10 July 2011). 13 More specifically, the present Singapore “Total Defense” concept bears a remarkable and word-forword similarity to the Austrian Total Defense concept of 1975 (Umfassende Landesverteidigung). 14 One of the first mentions of “Whole of Nation” occurred in Australia in 1997 in a statement by the Foreign Ministry. See Australia, Foreign Ministry, Foreign and Trade Policy White Paper, 28 August 1997. Internet, http://www.foreignminister.gov.au/ releases/1997/fa106_97.html (date accessed: 20 July 2011); for a more recent analysis see Anthony M. Forestier, “Effects-Based Operations: An Underpinning Philosophy for Australia’s External Security?,” Security Challenges, 2 no. 1 (2006). 15 Previous to the adoption of the NCIRP the management of a major U.S. cyber-incident was dependent upon the identification of the “attackingactor” to determine the lead government agency – for instance, domestic-terrorist, foreign terrorist, or nation-state. Given that attributing cyber-attacks can be very difficult, the U.S. model was widely perceived abroad as a recipe for disaster in a crisis situation. Luckily, it was never tested. 16 FIRST is the Forum of Incident Responders and Security Teams – a global community of CERT (Computer Emergency Response Team) professionals who form a key element for any Cyber-defense organization. 17 ICANN is the Internet Cooperation for Assigned Names and Numbers, a civil-society organization that has one of the most important regulatory functions in what is commonly referred to as “Internet governance.” 18 For instance, at an October 2010 conference of the International Telecommunication Union (ITU) in Guadalajara, Mexico, many EU Member States reversed their original position on expanding the role of the ITU in Internet governance. The U.S. government had strongly argued against this, and favored the current system, with a strong role for the present Internet Cooperation for Assigned Names and Numbers (ICANN).

KLIMBURG

19 Elinor Mills, “Study: Cybercrime Cost Firms $1 Trillion Globally,” CNET News, Internet, http:// news.cnet.com/8301-1009_3-10152246-83.html (date accessed: 15 July 2011). 20 Sharon LaFrancier, “Russian Spies: They Got Mail,” The Washington Post, 7 March 2002, Internet, http://www.washingtonpost.com/wp-dyn/ articles/A51550-2002Mar6.html. 21 According to a 2008 report completed by the U.S. Congress Government Accountability Office (GAO), at that time the United States maintained eight minimum standards, twenty-five regulations, and one law to support Cybersecurity efforts within defined Critical Infrastructure sectors. This did not include federal legislation for “non-Cyber” Critical Infrastructure protection, such as the “Chemical Facilities Anti-Terrorism Standards” (CFATS), which stipulates standards for hazardous facilities throughout the United States. It also did not include additional state, local, and tribal legislation that may have been applied. See GAO. “Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors.” 22 Paul Goble, “FSB Encourages, Guides Russia’s “Hacker-Patriots’,” Window on Eurasia, Internet, http://windowoneurasia.blogspot.com/2007/05/ window-on-eurasia-fsb-encourages-guides.html (date accessed: 25 June, 2011); Alexander Klimburg, “Mobilising Cyber Power,” Survival, 53 no. 1 (2011): 41-60. 23 In 2007, over 40 percent of worldwide Cybercrime was attributed to a single Russian cyber-crime gang. See Rhys Blakely, Jonathan Richards, and Tony Halpin, “Cybergang Raises Fear of New Crime Wave,” Times, Internet, http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2844031.ece (date accessed: 18 July 2011); Peter Warren, “Hunt for Russia’s Web Criminals,” Guardian, Internet, http://www.guardian.co.uk/technology/2007/nov/15/news.crime (date accessed: 18 July 2011). 24 Brian, Krebs, “Security Fix. Following the money: Rogue Anti-Virus Software,” The Washington Post, Internet, http://voices.washingtonpost. com/securityfix/2009/07/following_the_money_trail_ of_r.html (date accessed: 27 June 2011); for an open letter by Russian State Duma on the subject of Chronopay, see http://krebsonsecurity.com/wp-content/ uploads/2010/05/ivptrans.pdf

International Engagement on Cyber

25 One of the most well known of such holding companies, Digital Sky Technologies (DST) has also invested in Western media companies such as Facebook. See http://www.scribd.com/doc/29745909/ Kremlin-Control-of-Russian-Internet-RisingOSC-Says 26 Robert Coalson, “Behind The Estonia Cyberattacks,” Radio Free Europe/Radio Liberty, Internet, http://www.rferl.org/Content/Behind_The_Estonia_Cyberattacks/1505613.html (date accessed: 3 July 2011). 27 Alexander Klimburg, “Mobilising Cyber Power,” Survival, 53 no. 1 (2011): 41-60. 28 Melinda Liu, “Blog the Record Straight,” Newsweek, Internet, http://www.newsweek.com/ id/186996 (date accessed: 15 July 2011). 29 Joshua Davis, “Secret Geek A-Team Hacks Back, Defends Worldwide Web,” Wired, Internet, http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky (date accessed: 7 July 2011). 30 More specifically, “we reject Kings, Presidents, and voting. We believe in rough consensus and running code.” Attributed to Dave Clark. See Paulina Borsook‚ “How Anarchy Works – On Location with the Masters of the Metaverse, the Internet Engineering Task Force,” Wired, (October 1995). 31 Alexander Klimburg, “Whole-of-Nation Cyber Security,” in Inside Cyber Warfare: Mapping the Cyber Underworld. (Sebastopol: O’Reilly Media, 2009): 199-202 32 According to various U.S. and international sources interviewed by this author, the publicity gained by volunteer researchers in pursuing Russian Cybercrime organizations as well as researching Russian Cyber-attacks against Georgia and Estonia had a decisive effect on the Russian government. One indicator of this effectiveness has been a recent marked increase in collaboration between the Russian security services and international law enforcement fighting cybercrime, as well as near total-disappearance of the devastating Russia DDoS attacks such as those launched against Georgia and Estonia.

[ 1 7 9]

Civilizing Cyberspace Tom Kellermann Cyberspace is not a pacific environment. We exist in a restless world with a powerful new destabilizing dimension: the Internet. Technology has empowered rapid change among non-state actors and the asymmetrical capabilities they enjoy in this domain will undermine civilization if not strategically thwarted. The hostile nature of the Internet is highlighted by foreboding trends. For example, a top criminal priority for the FBI is cybercrime. According to the Department of Justice, two out of three U.S. companies have been impacted by cybercrime.1 It is estimated that industrial cyber espionage has amounted to losses in excess of $50 billion.2 The British government noted in a 2011 report that U.K. businesses have experienced over $40 billion in losses due to corporate espionage.3 These examples illustrate the need to understand the stark realities and dangers of cyberspace, as non-state actors and terrorists are financing their operations through cyber. Sophisticated and organized adversaries use cyber attacks to target financial institutions and companies that are rich in intellectual property, particularly in 2011. The economic ramifications of cyber threats and vulnerabilities to the private sector are severe. The vulnerability of our modern interconnected and digitally reliant infrastructures is well established. Plausible deniability does not exist, except in

[180] Georgetown Journal of International Affairs

Tom Kellermann is the Chief Technology Officer for AirPatrol Corp. He previously held the positions of Vice President of Security at Core Security and of Deputy CISO for the World Bank Treasury.

KELLERMANN

the minds of the uninformed. USCERT has noted a 40 percent increase in computer intrusions and the FBI’s number-one criminal priority continues to be cybercrime. The recently released SAIC / McAfee study, “Underground Economies” is fairly damning of the laissez-faire approach to cybersecurity taken by corporations around the world. For example, 85 percent of company assets are intangible assets stored in networks; 25 percent in the study halted a merger, acquisition, or product rollout due to a cyber attack; 50 percent did not investigate cyber breaches due to costs; and 65 percent

International Engagement on Cyber

who can use free hacking tools and a botnet. Often it is not merely the naïve end user but the corporation that is now the target of cybercrime. Unfortunately, the facts not only demonstrate that the cyber threat to the United States is real, but also that it constitutes a significant ongoing attack against American industrial competitiveness in the form of theft of intellectual property from American companies. This threat is not being adequately addressed by a strategic and coordinated government-industry initiative. Compounding this problem is the lack of real information-sharing across sec-

Sophisticated and organized adver-

saries use cyber attacks to target financial institutions and companies that are rich in intellectual property... of the executives were worried about wireless and mobile device security despite the fact that their workforces and service offerings are completely dependent upon wireless infrastructure.4 We often bemoan the stark reality of cybercrime, but rarely do we take a long look in the mirror and take the right initiatives to prepare for it. Our lack of appreciation for the sophistication and organization of the adversaries creates a panacea for cybercrime. The cyber underground is thriving with new actors, capabilities and infrastructure, much of which is comprised of our “owned” machines. Big brother is no longer the monopoly of the United States government, but rather can take the form of anyone

tors and countries; this shortfall in the shadow economy ecosystem hinders our efforts to “drain the swamp.” The stability of the western world requires that key private-sector representatives engage in a more formal way with government representatives to better measure progress in assessing and reducing the risk in cyberspace. In short, the private sector needs a seat at the table with government to chart the nation’s cyber course. Government and industry must work together to specify what is required for progress and define what success looks like. We need a much clearer picture of what the nation needs to worry about in cyberspace and how to combat this problem. At its heart, this requires that the public-private

[181]

CIVILIZING CYBERSPACE

collaboration identify critical national cyber priorities, set goals and objectives for each, and identify corresponding milestones and metrics for those objectives so that they can be resourced, tracked, and improved over time. Little effort is focused on the enablers of cybercrimes as they knowingly, recklessly, or blindly facilitate this wrongdoing and, in fact, help miscreants and more serious actors to operate with impunity. When suspicious activity and even evident crimes are discovered, policymakers and other stakeholders have insufficient capability to handle the situation. Even the United States and her allies cannot connect the dots among disparate databases to create a true, comprehensive picture of which instances of criminality are connected to each other, to which malicious actors, and to which enablers. For example, there is no federated system to collect, analyze, and share information on cyber activity and malicious actors among federal agencies or the state agency databases. Generally, there is no real mechanism to connect the dots between suspicious cyber activities that have been tentatively connected with terrorists and other instances of cyber criminality, such as spam, identify theft, financial fraud, and so forth. Much has been written about the challenge of attribution in cyberspace. Who is intruding in our systems and who is behind the malicious activity? All too often it remains difficult, if not impossible, to identify the involved parties who hide behind the anonymity and global orientation of the Internet and utilize a catacomb of enablers, consisting of both legitimate and illegitimate providers, to

[182] Georgetown Journal of International Affairs

cover their tracks. This includes Internet Service Providers (ISPs), hosting companies, merchant banks and online payment systems. Most often, however, the enablers are known, and they must become an important part of the initial inquiry and long-term vigilance. Internationally, even in those limited cases where individual cyber criminals or syndicates are uncovered, the laws on the books and the available investigative resources often make meaningful investigation or consequential prosecution unlikely. In some countries, the ruling governments and resident Internet infrastructure are uncooperative at best and recalcitrant at worst. How to deal with these important bottlenecks for effective action against cybercrimes is an important component of this challenge. Traditional approaches are not sufficient to impact the problem or reduce the larger risk that it represents to the United States and its allies. None of these points is actively and openly debated among the government or private industry organizations; nor is the fact that current means of law enforcement have proven insufficient to combat cybercrime effectively, specifically because they tend to be reactive instead of proactive. We have stood by as law enforcement, however well-intentioned, has tried to lead nationally and internationally in the fight against malicious cyber activity. Frankly, this issue is much larger than what law enforcement can or should be called upon to solve.

Diminishing the Ecosystem

Diminishing this vast, complex ecosystem of cyber risk demands a compre-

KELLERMANN

hensive approach that crosses the societal and organizational boundaries that the threats themselves transcend. Businesses can and must contribute more to addressing this challenge than merely being called on to report details of cybercrime incidents. It is crucial that

International Engagement on Cyber

cious capabilities. More importantly, in order to work effectively over time and sustain itself, this partnership must also respect the equities and perspectives of its key stakeholders in its processes, and it must leave all of its various participants feeling respected

When suspicious activity and even evident

crimes are discovered, policymakers and other stakeholders have insufficient capability to handle the situation. they disclose the enablers of criminal activity, from the alternative payment channels to the hosting companies. The question remains: how can law enforcement, other key government organizations, and businesses come together and partner in a manner that transcends previous efforts and hits back at cybercrime in a game-changing way? To begin to address this problem, cybercrimes must be recognized as part of the larger problem of malicious cyber activity, including the actions of a continuum of malicious actors ranging from the low-level hacker and the pure criminal to organized criminal groups and nation-states with their proxies and surrogates. It must be addressed strategically and proactively by an alliance of key business and government stakeholders, including, but not limited to, law enforcement. Quite simply, the seriousness and complexity of this problem desperately requires a public-private allianceâ&#x20AC;&#x201D;made up of U.S. and international stakeholdersâ&#x20AC;&#x201D;to embark on a truly strategic approach to reducing the frequency, impact, and risk of mali-

and validated for their contributions. The two overarching problems are, first, that there are virtually no consequences for malicious cyber activity, and second, that the Wild West nature of cyberspace enables serious malicious actors to use available vulnerabilities, attack tools, alternative payment processes, and illicit hosting companies to continue to operate with impunity. Thriving malicious activity enables more serious kinetic activity. The International Cyber Security Protection Alliance (ICSPA.org) is a functional example of capacity building in both domestic and international markets in combating the growth of cybercrime. Now is the time to launch an initiative to develop a strategic roadmap to address malicious cyber activity in a proactive way that uses all available resources and that includes the engagement of key stakeholders from government and the private sector. This initiative should follow the efforts of the National Center for Missing and Exploited Children and the Financial Services Technology Consortium, which tackled the global problem of child pornography in 2006

[183]

CIVILIZING CYBERSPACE

and 2007. The heart of the effort was a working group made up of key stakeholders with understanding of the scourge of child pornography and the flow of alternative payments and hosting services that enable and reward it. The strategy must include a focused effort to collect and share data on malicious actors and those who enable them to operate successfully and anonymously in cyberspace. Additionally, the strategy should identify and leverage available technologies and processes to better secure the transactions, communications, and online interac tions between and among individuals

and organizations. By more strategically collecting and sharing data we can better connect the links between the offending activity and those behind it in order to supplement the traditional law enforcement response with one that uses the full authorities and resources of governments and the private sector. Only through appreciation of our adversaries’ tactics and organization can we begin to civilize cyberspace. The author would like to thank Melissa Hathaway and Andy Purdy for their contributions to the vision entailed within this article.

NOTES

1 “Computer Crime and Intellectual Property,” U.S. Department of Justice, Internet, http://www. justice.gov/criminal/cybercrime/ipmanual/01ipma. html (date accessed: 4 August 2011). 2 “White House Cyber Policy Review” (Washington, DC: 2009), Internet, http://www.whitehouse. gov/assets/documents/Cyberspace_Policy_Review_ final.pdf (date accessed: 2 August 2011).

[184] Georgetown Journal of International Affairs

3 “The Cost of Cyber Crime,” UK Cabinet Officer, Internet, http://www.cabinetoffice.gov.uk/ resource-library/cost-of-cyber-crime (date accessed: 1 Auguest 2011). 4 “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency,” (McAfee: Santa Clara, 2011), Internet, http://www.mcafee.com/us/resources/reports/rp-underground-economies.pdf (date accessed: 5 August 2011).

China’s Cybersecurity Challenges and Foreign Policy Gao Fei For the People’s Republic of China’s first thirty years of history (1949-1978), Chinese foreign security policy focused mainly on protecting its sovereignty and preventing invasion. Since then, China has shifted its focus to economic development. While the rise of the information age and the modern technological revolution facilitated the country’s transition, these shifts have also engendered new challenges. Cybersecurity is one such challenge, and has emerged as a major Chinese national security issue.

Gao Fei is an Associate Professor and Director of Research at China Foreign Affairs University, and a Fulbright Scholar at the George Washington University.

China is Increasingly Dependent on the Internet Internet penetration and use are growing rapidly in China. As of December 2010, China had 457 million Internet users, an increase of 73.3 million from the previous year. Overall Internet penetration has climbed to 34.3 percent of the population, an increase of 5.4 percent compared to the end of 2009. Broadband use is also growing quickly. By December 2010, China had 450 million broadband users (including DSL, cable, optical access, power line communication, Ethernet, and mobile broadband users), and 98.3 percent of the Chinese population used a broadband connection to access the Internet in the first half of 2010.1

[ 1 85]

CHINA’S CYBERSECURITY CHALLENGES AND FOREIGN POLICY

Commercial Internet applications are also increasingly prevalent in China, which is pushing e-commerce development and changing users’ habits. In 2010, over 160 million Chinese consumers shopped online, an increase of 48.6 percent from the previous year. Online payment and e-banking users have reached 137 million and 139 million respectively, with annual growth rates of 45.8 percent and 48.2 percent from the end of 2009.2 Chinese enterprises are increasingly dependent on the Internet for business development. As of December 2010, 94.8 percent of China’s small to medium enterprises (SMEs) are equipped with computers, and 92.7 percent have some form of Internet access. Among China’s larger enterprises, nearly 100 percent have some form of Internet access.3

The PRC is still a developing country, and the information technology revolution is bringing critical development opportunities. Both the Chinese government and Chinese enterprises advocate Internet infrastructure construction. The Chinese government contends that informatization is the driving force behind worldwide globalization and China’s urbanization. The information revolution has already made great strides in China over the past ten years. Ten years ago the Internet was nothing in China; now you can do nothing in China without the Internet.

China’s Vulnerabilities and Problems The Internet is a doubleedged sword. It creates new opportunities, but also brings new vulnerabilities and problems. China currently faces

Ten years ago the Internet was nothing

in China; now you can do nothing in China without the Internet. The Chinese government is also pushing Internet development by advocating efficient e-government at all levels nationwide. 1999 was the “Year of E-Government.” Since then, many different government departments and levels have established their own websites.4 In addition to providing basic government services, E-Government also makes it easier for government departments and units to publish information and provide policy advice. China’s E-Government drive is increasing not only governmental work efficiency, but also governmental transparency.

[186] Georgetown Journal of International Affairs

severe cybersecurity challenges. China is currently one of the greatest victims of botnet attacks worldwide. A “botnet” is a group of computers infiltrated by a hacker and infected with malicious software, generally for the purpose of attacking other information systems. These botnets are distributed across the globe. In 2007 the Honeynet Project, an international security research organization, found the highest number of botnets in Brazil, followed by China, Malaysia, Taiwan, Korea, and Mexico.5 The commandand-control servers directing these

FEI

machines were are located primarily in the United States, followed by China, Korea, Germany, and the Netherlands. By the close of 2007, Symantec identified around 3.2 million distinct bots worldwide. The largest numbers of botinfected computers are found in the United States (14 percent of total bots measured), followed by Germany (9.5 percent), and China (7.8 percent). Chinese websites are also vulnerable to malicious attacks. In September 2009, 3,513 websites were tampered with in China. Among those, 256 were government websites. The National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) has detected over 140,000 Internet clients suffering from botnet infections; half of those are located in the Chinese mainland. According to China’s Ministry of Public Security, Chinese websites, especially government websites (gov. cn), suffer outside hacking attacks at an average rate of nearly two thousand per month.6 Although the above statistics were gathered by different countries and organizations, at different times, and using different methodologies, they all clearly demonstrate that China is facing very serious cybersecurity challenges across multiple fronts. Although all countries face cybersecurity challenges and vulnerabilities, China’s problems are particularly acute. First, given the rapid growth of the Internet in China, officials who create and implement cybersecurity laws, regulations, and policies are finding it difficult to stay apace with the rate of change. These challenges are only increasing with the transition to highspeed broadband networks. Ongoing

International Engagement on Cyber

inter-departmental government coordination exists on matters of information security, risk assessment, standards development, product development, and the fight against online criminal activities. While such coordination has achieved positive results, there is no comprehensive national cybersecurity strategy to guide these efforts. Second, although the United States and other developed economies depend heavily on industry expertise and public-private cooperation to address their cybersecurity challenges, China’s information and communications technology (ICT) enterprises are still relatively inexperienced. Not only does the Chinese government presently lack the expertise to deal with these new security challenges, but it also does not have strong private-sector partners with substantial industry experience. Prior to the age of Internet telecommunications, the government was responsible for security, and enterprises were responsible for production. The Internet has created a new scenario: network technology is innovating and evolving so quickly that the government cannot keep up with market demands and guarantee security without industry cooperation. Most domestic Internet enterprises in China are still relatively new private companies, and it takes time to develop the close public-private cooperation that is necessary for effective security in the post-broadband era. Third, all countries are currently struggling to find an acceptable balance between cybersecurity—which generally requires some form of government oversight—and personal data privacy as well as information freedom. China is no exception. Developing democ-

[ 1 87 ]

CHINA’S CYBERSECURITY CHALLENGES AND FOREIGN POLICY

racy is an important goal for many people in China. In October 2010, Chinese Premier Wen Jiabao stated in a CNN interview: “I believe I and all the Chinese people have such conviction that China will make continuous progress and the people’s wishes and

security challenges for all actors. The Internet has no borders, and thus no country can guarantee security on its own. The controllers of most of the botnets found in China were based abroad. Moreover, more than 80 percent of the cyber attacks targeting Chinese govern-

The absence of mutual trust magnifies

the difficulties of cybersecurity cooperation among nations. need for democracy and freedom are irresistible… I hope you will be able to gradually see the continuous progress of China.”7 While the government is the key force driving China’s modernization, the Internet is driving the development of the mass media. For this reason, China’s social elites pay particular attention to the diverse views and debates surrounding cybersecurity and information freedom issues. Some elites support strict Internet controls to protect national security; others emphasize protecting information freedom and encouraging technical innovation, similar to the U.S. approach. Even in the United States and European Union, both of which possess strong democratic institutions and value the free flow of information, leaders and members of the public alike are debating and weighing individual rights versus states security issues. Debating such issues openly is particularly difficult in China, a state that has yet to transition toward democracy and lacks open public debate on issues that the government deems sensitive. Fourth, lagging international cooperation in the cyber arena increases

[188] Georgetown Journal of International Affairs

ment websites came from overseas.8 In this new environment, where actors can use information networks to attack one another across borders and without the knowledge of the host country, traditional political disputes among nations may give rise to new problems. For example, if an organization is considered a terrorist group by Country A but a legitimate human rights organization by B, country B may end up providing a base for this organization to attack the websites of Country A, subsequently leading to increased tensions among states. The absence of mutual trust magnifies the difficulties of cybersecurity cooperation among nations.

China’s Cybersecurity Foreign Policy China is a developing country,

though after thirty years of reform and opening up to the outside world, China has experienced tremendous internal change. In particular, the rapid growth of China’s economy and the country’s growing ties with the rest of the world stand out as immensely important, and have led Chinese officials to gradually develop what they have dubbed as a “New Security Concept.” The basic

FEI

tenets of this New Security Concept are mutual trust, mutual benefit, equality, and consultation.9 The New Security Concept takes a long-term view on security relations and respects other nations’ practical interests. It encourages nations to build trust through consultation and to protect national security by means of multilateral coordination. Specifically, the New Security Concept emphasizes multilateral ties, which stress the interdependence among nations in terms of security; multilateral cooperation, which replaces confrontation as the effective route to security; comprehensive security mechanisms that possess economic, technical, social, and environmental dimensions in addition to traditional military and political dimensions; and institution building as a legitimate means to enhancing security, rather than relying on use of the military.10 The New Security Concept not only focuses on traditional security but also emphasizes non-traditional challenges. Cybersecurity is itself a non-traditional security challenge. The Chinese government has stated that “[i]nformation security bears on international security and stability, as well as national economy and people’s livelihood…. Under the new circumstances with multiple security threats, rising non-traditional security factors and increasingly rampant international terrorism activities, information security has become an important issue in the field of international security.”11 China is continuously developing new laws, regulations, and technical standards to deal with new cybersecurity challenges. At the same time, China maintains that all states must bear responsibility for appropriately

International Engagement on Cyber

addressing issues of information security and stability, since enhanced cybersecurity serves a common global interest. China therefore advocates bilateral and multilateral international cooperation for addressing these mutual challenges. U.S.-China cybersecurity cooperation dates back to 9 June 1999. Professor Wu Shizhong, Director of the China National Information Security Testing Evaluation and Certification Center (CNISTECC), told U.S. embassy officials that his government was willing to cooperate with the United States on cybersecurity issues. He stated that the CNISTECC would welcome any information concerning Chinese hacker attacks against U.S. targets, because “China and the U.S. should cooperate on information security matters.”12 Chinese and U.S. research institutes have now already established institutional cooperation. China founded the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/ CC) in October 2000.13 Its main task is to coordinate China’s nationwide Computer Emergency Reaction Team (CERT) operations to deal with online emergencies, to provide technical and service assistance, and to organize international cooperation with similar agencies. Under the banner of its proposed East-West Institute, CNCERT has already brought together Chinese and American experts for an Institution on Sino-U.S. Cyber Security Dialogue. As of June 2010, these experts have met on three separate occasions. China and the United States are also launching intergovernmental communication meetings and dialogues on cybersecurity issues. The PRC also supports multilat-

[ 1 89]

CHINA’S CYBERSECURITY CHALLENGES AND FOREIGN POLICY

eral cybersecurity cooperation. Officials believe that the United Nations is the appropriate forum to address information security issues. China supports the UN General Assembly and the UN Group of Governmental Experts on Information Security continuing their comprehensive indepth studies on threats and challenges in the field of information security. It also supports their goal of developing reasonable and feasible measures within the context of international security and arms control.14 In sum, cybersecurity has emerged as an important issue in the field of international security. All countries face the same basic vulnerabilities in cyberspace. Security dilemmas may lead to a cyber arms race and to deteriorating security of cyberspace. Humankind has already suffered two World Wars and a Cold

War in the last century. Such historical tragedies demand that states discard a zero-sum game mentality. Enhancing cybersecurity serves the common interest of all countries and is also the common responsibility of the individual states. The global cybersecurity challenge could provide opportunities to promote international coordination, to better coordinate the activities and interests of governments and private sector, and to intensify communication among technological and service departments and ministries. Chinese leaders believe that as long as all countries acknowledge existing problems and demonstrate the political will to address them, the international community can arrive at a consensus regarding the appropriate means to deal with threats and challenges in the field of information security.

NOTES

1 China Internet Network Information Center (CNNIC), Statistical Report on Internet Development in China, Internet, http://www1.cnnic.cn/ uploadfiles/pdf/2011/2/28/153752.pdf, 3-5 (date accessed: (29 April 2011). 2 Ibid, 42. 3 Ibid, 61. 4 All Chinese E-Government websites are located at http://www.grchina.com. 5 Markus Koettner, “Know Your Enemy: Tracking Botnets,” Internet, http://www.honeynet.org/ papers/bots/ (date accessed: 13 May 2011). 6 “Paper of New Culture,” Internet, http:// news.163.com/10/0201/01/5UDBQDI20001124J. html (date accessed: 25 April 2011). 7 Tanya Branigan, “Wen Jiabao talks of democracy and freedom in CNN interview,” The Guardian, Internet, http://www.guardian.co.uk/world/2010/ oct/04/wen-jiabao-china-reform-cnn-interview (date accessed: 27 April 2011).

[190] Georgetown Journal of International Affairs

8 http://www.ln.xinhuanet.com/itpd/2010-11/12/ content_21379793.htm. 9 Cong Peng (Ed.), Comparative Studies: Security Concepts of Great Powers, (International Affairs Publishing House: 2004); 267-268. 10 Meng Xiangqing, ‘“Shanghai Five” Regime: Successful Practice of New Security Concept,’ PLA Daily, [Jiefangjun Bao], 12 June 2001. 11 “Information Security,” Ministry of Foreign Affairs of the People’s Republic of China, Internet, http://www.fmprc.gov.cn/eng/wjb/zzjg/jks/kjlc/qtwt/ t410768.htm (date accessed: 1 May 2011). 12 “China: Information Security, A June 1999 report from U.S. Embassy Beijing,” Internet, http:// www.fas.org/nuke/guide/china/doctrine/infscju99. html (date accessed: 30 April 2011). 13 The website for National Computer Network Emergency Response Technical Team/Coordination Center of China is www.cert.org.cn. 14 See note 11 above.

Protecting the National Interest in Cyberspace Major General Koen Gijsbers and Matthijs Veenendaal (MA) In a rapidly digitizing world, the Netherlands has one of the highest levels of Internet penetration (85.6 percent in December 2009).1 With a trade and services-oriented economy, the Netherlands benefits tremendously from the growing interconnectedness of the Internet and Communications Technology (ICT), which are the engines of its growth. Digital technology and the Internet offer untold possibilities for economic development and innovation. The dependency of highly developed economies on ICT networks and systems keeps growing rapidly and we will soon reach the point at which there will no longer be an alternative for digital services provided by government and the private sector. Cyberspace has a significant effect on the instruments of national power – diplomatic, information, military, and economic – that countries can wield. As Wikileaks has shown, the loss of control over sensitive information has negatively affected the United States’ diplomatic efforts and has damaged its international position. According to open sources,2 China and Russia are using cyber espionage to strengthen their economic and military position vis-à-vis the West, resulting in an economic loss of billions of dollars for the countries of North America and Europe. Financial losses due to cyber crime are also growing rapidly.3 NATO allies are rightly worried about

Koen Gijsbers serves as the principal coordinator for the Dutch Defense Organization. In 2006 he was appointed Assistant Chief of Staff for Command, Control, Communications, Computers, and Intelligence at NATO Allied Command Transformation Headquarters. Until August 2011 he was the Principal Director for Information and Organization at the Dutch Ministry of Defense. Matthijs Veenendaal studied contemporary history at the University of Leiden and has worked as a policy advisor for various ministries. Currently he is a senior policy advisor at the Ministry of Defense and co-author of the Defense Vision on Cyber Operations and Dutch National Cyber Security Strategy.

[ 1 91 ]

PROTECTING THE NATIONAL INTEREST IN CYBERSPACE

the use of cyber attacks, and cyberspace is now generally recognized as the fifth domain for military operations. This means that nations must develop a clear strategic vision on the importance of cyberspace in protecting their national interests and national security and on the role of government in protecting society as a whole against cyber threats. Our dependency on networks makes us vulnerable. While new technologies enable us to do many good things, there will always be people who use them for malicious purposes. It is therefore

security will be impossible to establish in cyberspace. An attacker has a particularly strong advantage in this arena. An attacker can hide a cyber weapon relatively easily, but a defender is faced with the challenges and limitations of attribution â&#x20AC;&#x201C; that is, the difficulty of establishing the origin of and intent behind an attack. The challenge is to develop resilient networks that can absorb an attack, limit its impact as much as possible, and be quickly restored to full operational capability. In-depth defense is essential. It is vital that we organize defense with

NATO allies are rightly worried about the

use of cyber attacks, and cyberspace is now generally recognized as the fifth domain for military operations. extremely important to ensure that we have access to a safe and reliable digital infrastructure. We have to prepare ourselves on the assumption that a determined adversary will be able to circumvent any defense, no matter how well it is designed. In most cases, it is safe to assume that an intrusion will be detected relatively quickly and that its damage will be limited, but there is no guarantee that all attacks can and will be detected. Even though the networks of the Dutch Defense Organization are relatively well protected, the possibility that they might be infiltrated and compromised without detection cannot be dismissed. The capabilities of malicious actors to gain access to networks and information systems are clearly not science fiction, yet the magnitude of the problem is difficult to establish precisely. As in every other domain, absolute

[192] Georgetown Journal of International Affairs

the knowledge that the Spetsnaz (Russian Special Forces) are behind the forward lines of our own troops. As a result, closing the front door is not enough; we need to look at abnormal behavior on our public and private networks to understand fully what is happening.

Integrated National and International Approach Cybersecurity depends on the ability of nations to protect cyberspace and on their capacity to tackle cyber threats, individually or collectively. By its very nature cyberspace is an integrated domain in which public and private, civil and military, and national and international actors operate simultaneously and are mutually interdependent. In addition, the techniques used by attackers are to a large extent tailored to the vulnerabilities of networks and systems. This makes a

GIJSBERS & VEENENDAAL

joint approach to cybersecurity essential. Given the central role of the private sector in the management of networks and the provision of digital services, improving cybersecurity will work only if public and private parties work closely together. Sharing knowledge and information on threats, vulnerabilities, and solutions is essential to increase the resilience of a nation’s digital infrastructure. Situational awareness is essential in cyberspace. We must have a clear picture of the technical nature of the threats we are dealing with as well as the intentions, means, and capabilities of attackers. To allow for an effective exchange of information we must change our approach from ‘need to know’ to ‘dare to share.’ This is easier said than done. In cyberspace, information is valuable and the willingness to share can be constrained by strategic, tactical, legal, or commercial considerations. But only through public-private cooperation can an effective common operational picture be established because many different actors control pieces of the information puzzle. ISPs have extensive knowledge regarding the threats posed to and the vulnerabilities of their networks; banks know much about the various manifestations of cybercrime; and the intelligence community can provide in-depth analysis of the intentions and capabilities of potential attackers. The essence of the Dutch national cybersecurity strategy is therefore to improve cooperation and coordination among all parties involved. This will include the public and private, civil and military, and national and international domains. One of the basic principles of the strategy is that primary responsibility for the protection of networks lies

International Engagement on Cyber

with the owners, not with the Ministry of Defense or any other government institution. Through the creation of a National Public-Private Cybersecurity Board, a strategic governing organization will be created in which agreements will be made on the implementation and further development of the national strategy. In the National Cybersecurity Center, both public and private organizations will pool information, knowledge, and expertise to increase insight into developments, threats, and trends and will offer support for incident response and crisis management. Participation in the National Center is voluntary but cannot be non-committal. If parties decide to make an active contribution they must be willing to share knowledge on a quid pro quo basis and pledge to invest in improving the security of their own organization. Partners cannot be free riders.

Fifth Domain Cyberspace is broadly recognized as the fifth domain for military operations in addition to land, sea, air, and space, and is the first man-made domain. Although cyberspace has already been used for military operations, much is still unclear about the nature of offensive cyber capabilities, the dynamics of cyber conflicts, and the way in which cyber attacks can help to achieve political objectives. As a means of obtaining a political objective a pure cyber war has its limitations. There seems to be no equivalent of a first strike capability in cyberspace. It is also not very plausible that cyber weapons of mass destruction will be developed, and the analogy of a new digital Pearl Harbor is not very useful. On the other hand, the concept of cyber

[ 1 93]

PROTECTING THE NATIONAL INTEREST IN CYBERSPACE

deterrence should be developed further. One of the central challenges for an attacker in cyberspace is the ability to launch a sustained attack. If a properly managed network is resilient it will probably be able to absorb an attack and recover relatively quickly, limiting the effect of the attack. An initial attack can have a severe impact on a nation’s digital infrastructure, but is unlikely to cripple the defenses of an adversary in a single strike, and would likely require follow-up attacks. This will pose some serious obstacles that will be very difficult to overcome on short notice. A cyber attack is therefore likely to lose its momentum after the initial strike. Let us make a comparison in military history. In World War I the massive use of artil-

while on the other, it might be complicated to limit its impact. An attack can very well have unforeseen consequences that limit its effect or achieve the opposite and do much more damage than intended. This does not mean that we should not concern ourselves with cybersecurity. Cyber attacks can pose a serious threat to our national security. Sustained harassment from an advanced adversary can do serious damage to a nation’s ability to conduct trade and provide essential (government) services, and can seriously diminish public trust in the government’s ability to protect its citizens and interests. The threat, therefore, is real, and we should be able to defend ourselves against attacks and to counter them. The armed forces must develop knowledge

The defense community must learn to

adapt quickly to new circumstances and speed up its procurement procedures. lery to destroy defensive positions was not enough to force a breakthrough. An infantry attack on a trench would likely be successful if an artillery barrage had been carried out properly. However, it proved to be almost impossible for the artillery to support a sustained attack on multiple trenches. After the first trench had been overrun, the artillery could not be brought forward quickly enough to allow for a successful attack on the second line, resulting in a deadly stalemate. Making a thorough assessment of the effects of a cyber attack before it occurs is also a serious challenge because the dynamics of cyber conflicts are little understood. On the one hand, it could be very difficult to aim an attack precisely,

[194] Georgetown Journal of International Affairs

and capabilities to operate effectively in cyberspace. As the British Chief of the General Staff, Sir David Richards stated, “[w]e must learn to defend, delay, attack and manoeuvre in cyber space.”4 From a military perspective, cyber capabilities must become an integrated part of any joint military operation in order to strengthen the effectiveness of the armed forces in all dimensions. Although it creates a popular and enticing image, it is not likely that future wars will be fought or decided by wiz kids hiding in attics. Cyber capabilities will be much more effective if they are designed to achieve an outcome as part of a larger military effort. For instance, by infiltrating an air defense system through a

GIJSBERS & VEENENDAAL

International Engagement on Cyber

computer network attack, an air assault to a major incident in cyber space. can be much more effective while limIn cyberspace, good intelligence is iting the risk of collateral damage. a precondition for effective and safe participation. It is essential to create Investing in Cyber Capability a strong information position regardAlthough the Dutch Defense Organiza- ing the nature and origin of a (potention has to deal with extensive budget cuts, tial) threat. It is also necessary to know which will limit the operational capabili- what (technical) capabilities (potenties of the armed forces, funds have been tial) adversaries possess. One of the made available to strengthen the capa- first priorities for the Dutch Ministry bilities for operating in cyberspace. The of Defense is therefore to increase the Netherlands will strengthen the protec- cyber capabilities of the Dutch Milition of its networks as well as its weapons tary Intelligence and Security Service. systems. The Dutch government will also Given the speed with which innovaincrease intelligence efforts, improve tion and product development take place flexibility, and develop knowledge and in the digital domain, government and capabilities to allow the armed forces the armed forces must also become more to operate in cyberspace. A cyber com- flexible and act as early adaptors of new mand will be created which will develop a technologies. Since much of this innodoctrine on cyber operations and define vation takes place in the private sector, and procure the means and capabilities close cooperation between the military that the armed forces should possess. and the high tech industry is essential. One of the greatest challenges that The defense community must learn to the Dutch government faces is to find adapt quickly to new circumstances and enough skilled personnel for its cyber speed up its procurement procedures. initiatives, since highly trained specialists are in short supply. By establishing a NATO The Netherlands strongly supDefense Cybersecurity Center, the gov- ports the ambition of NATOâ&#x20AC;&#x2122;s 2010 ernment can create a knowledge center Strategic Concept, which states that where it can educate and train staff. The â&#x20AC;&#x153;NATO will deter and defend against center will work closely with other public any threat of aggression and against organizations as well as the private sec- any emerging security challenges where tor. In order to raise the bar for educa- they threaten the fundamental security tion and research, a cybersecurity chair of individual allies and the alliance as will be established at the Netherlands a whole.â&#x20AC;?5 The revised NATO policy Defense Academy and cooperation with focuses almost exclusively on strengthother relevant universities and research ening the collective defense of critiinstitutions will be intensified. In order cal NATO CIS and the CIS of vital to make maximum use of scarce capa- NATO allies. This is of course the bilities, government organizations will primary responsibility of the Alliance. also look into the possibility of creating Because of legal, resource, and politia cyber defense reserve force, which will cal challenges, it seems to be too early for improve our knowledge base and allow us NATO to develop joint cyber capabilito better coordinate a national response ties to support a manoeuvrist approach

[ 1 95]

PROTECTING THE NATIONAL INTEREST IN CYBERSPACE

to cyber operations; this should not, however, result in a total disregard of the subject. If cyberspace is recognized as the fifth domain for military operations, NATO must strive to develop a joint doctrine and a common operational picture of the threats posed in cyberspace, the intentions of possible adversaries, and the development of cyber capabilities – those of opponents as well as those of allies. If allies agree, as seems to be the case, that purely defensive measures will likely be insufficient to deter a persistent opponent from using advanced technology, NATO must develop a vision on additional measures necessary to ensure the resilience, availability, and reliability of its networks, including a manoeuvrist approach to cyber operations. We must accept that the cyber threat is real and growing. Although we should avoid portraying this threat in apocalyptic terms we cannot dismiss it as a mere nuisance. Cyber attacks can cause major

disruptions in societies and result in substantial economic loss. We must also acknowledge that, given the interconnectedness of the cyber domain and the central role of private parties in maintaining and operating the ICT infrastructure, the threat can only be countered effectively through close publicprivate, military-civilian, and nationalinternational cooperation. The military must also define its role in cyberspace and develop the necessary means and capabilities for conducting cyber operations. In doing so, defense organizations must avoid defining cyberspace as an independent domain. Cyber capabilities will be most effective when they form an integrated part of the total military capabilities. From the growing importance of cyberspace for defense organizations naturally follows that NATO must also develop a clear doctrine for its role in cyberspace that should not be limited to purely defensive measures.

NOTES

1 “Top 58 Countries with the Highest Internet Penetration Rate,” Internet World Stats, Internet, http:// www.internetworldstats.com/top25.htm. 2 See, for instance, the USCC report “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation” (October 2009), or the annual report of the Dutch General Intelligence and Security Service (April 2010). 3 See, for instance, “2010 National Cyber Crime and Digital Safety Trend Report,” Dutch National Government, Internet, http://www.govcert.nl/

[196] Georgetown Journal of International Affairs

binaries/live/govcert/hst%3Acontent/english/service-provision/knowledge-and-publications/trendreports/trend-report-2010/trend-report-2010/ govcert%3AdocumentResource/govcert%3Aresource. 4 “Armed Forces chief to set up UK cyber warfare unit to launch attacks on enemies in cyberspace,” Mail Online, Internet, http://www.dailymail.co.uk/ news/article-1345490/Armed-Forces-chief-set-UKcyber-warfare-unit-launch-attacks-enemies-cyberspace.html 5 NATO Strategic Concept, Internet, http://www. nato.int/cps/en/natolive/topics_56626.htm.

All Done Except the Coding:

Implementing the International Strategy for Cyberspace Matthew G. Devost, Jeff Moss, Neal A. Pollard, and Robert J. Stratton III On 16 May 2011, President Barack Obama released his International Strategy for Cyberspace,1 which, in conjunction with cybersecurity legislation sent to Congress on 12 May 2011,2 comprises this Administration’s unique vision and policy for cyberspace. Implementation will be the devil in the details; the strategy is necessary, but not sufficient. This paper highlights some key decisions, balances, and actions that remain as U.S. departments and agencies craft or modify their own strategies over the next several months to align with the President’s policy objectives. This paper also considers how other stakeholders—especially the private sector and other nations—regard their roles and mutual expectations.

Context The release of the International Strategy marks two years since the

Obama White House conducted its cyberspace policy review. In that time, new issues have come up, and there has been increasing need for an overarching cyberspace strategy to articulate threats and challenges, to prioritize national objectives, to provide guidance for departments and agencies developing their own strategies, and to establish expectations for all stakeholders. The International Strategy has been introduced at a time when cyberspace issues have taken on increasing prominence. Within the United States, the President appointed Howard Schmidt as the Coordinator for White House Cybersecurity in 2009, who is responsible for reporting directly to the President. Meanwhile the Department of Defense (DoD) established U.S. Cyber Command (USCYBERCOM)—an operational command headed by the Director of the National Secu-

[ 1 97 ]

ALL DONE EXCEPT THE CODING

rity Agency—as part of an articulated policy that views cyberspace as a domain of conflict, similar to land, air, sea, and space. The DoD publicly articulated its view of operations in cyberspace on 14 July 2011, when it released an unclassified version of its “Department of Defense Strategy for Operating in Cyberspace.”3 Congress has also been involved in cyber issues, producing multiple versions of comprehensive bills to address national cybersecurity, none of which have been submitted to the President for his signature. In the private sector, leading firms in information, defense, finance, and chemical industries have increasingly suffered network attacks. Similarly, countries such as China have targeted Internet service firms, including Google, as they have delved into the international policy domain. Some attacks have been highly sophisticated, such as the targeted malware attack that was supposedly aimed at Iran’s uranium enrichment processes. Wikileaks has demonstrated the other side of unsophisticated threats that arise from tactical, rather than technical, failures that can have national and international effects well beyond the military domain. Lastly, a combination of social and technical networks continues to drive change across the Middle East. All of these examples indicate how countries such as the United States, China, and Egypt will have different perspectives on what constitutes a national security threat in cyberspace.

into an overarching vision that enhances prosperity, security, and openness in cyberspace. The International Strategy addresses both threats and value-laden challenges in cyberspace that range from cyber crime, intellectual property theft, and conflict, to censorship, unreasonable surveillance, repression, and disruption of networks that further political objectives. The International strategy is clear regarding the potential of conflict in cyberspace: “The United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners.”4 Confronting these threats and challenges requires consensus and the promulgation of norms among international and private-sector partners. To this end, the International Strategy explicitly invokes the “three Ds” of implementing national security policy: diplomacy, defense, and development.5 The emphasis that the International Strategy places on norms— even technical norms grounded in the language of standards and governance—will rely heavily on diplomacy, and particularly on State Department resources. As many observers have noted, there is a drastic imbalance in resources among agencies, as defense is significantly better resourced than diplomacy or development; this, in From Policy to Implementa- turn, forces the DoD to engage in tion The International Strategy aims non-military tasks abroad and to supto merge U.S. security, as well as eco- port civilian missions domestically. nomic, social, and technological values In order to implement the Inter-

[198] Georgetown Journal of International Affairs

DEVOST, MOSS, POLLARD, STRATTON

national Strategy, this imbalance must be mitigated. Similarly, the United States must also reconcile that the State Department recognizes differences between domestic and foreign domains, while cyberspace does not. This is more than a question of resources: it is a question of balanced action within the U.S. government. Departments and

International Engagement on Cyber

Strategy and the debate that it is sure to generate among international and private-sector partners create an opportunity to provide the guidance that departments ordinarily expect from the President on how the U.S. government will operate in cyberspace, and how it will partner with the private sector and international partners. These

Ultimately, solutions should not be more costly or damaging than the problem. agencies must receive clarification, directives, and prioritization as they pursue the goals and norms laid out by the President over the next several months. Furthermore, pursuing the norms of the International Strategy requires engaging all stakeholders. The U.S. government must establish more specific expectations and actionable direction for state, local, tribal, nongovernmental, and private-sector entities, as well as communities and individuals, if all of these stakeholders are to play a meaningful part in pursuing norms.6 Finally, the White House must make hard policy trade-offs for responsibilities, resources, and investments in pursuing the International Strategy. This final element is a fundamental question of policy and strategy. What are the trade-offs among objectives or norms that generate tension when put into practice? What are the assumptions that underlie objectives and trade-offs, and where should we strike balances to mitigate tension? What are the consequent resource implications of these balances and trade-offs? The normative nature of the International

directives also include how department and agency priorities, resources, and actions should flow accordingly.

From Threats to Risks Some

challenges and threats outlined in the International Strategy are unique to cyberspace; others are not. For example, crime, terrorism, exploitation, and military conflict exist both in virtual networks and on real estate, but cyberspace can â&#x20AC;&#x153;boost the productivityâ&#x20AC;? of legitimate and illegitimate actors alike. Framing risk in cyberspace should have a heavy economic emphasis, in terms of the deleterious economic effects of threats, as well as the negative economic effects of unwise solutions to threats, and the potential spillover of risks and costs in interdependent issue-areas. Ultimately, solutions should not be more costly or damaging than the problem. The effective implementation of the International Strategy will frame the problem and provide this risk management perspective to guide those with the responsibility to manage these risks. Managing risk in cyberspace also means agreeing on some fundamental

[ 1 99]

ALL DONE EXCEPT THE CODING

cyberspace assumptions and realities. If the United States suffers a societal infrastructure disruption, such as a massive power grid collapse, after some use of forensics we will likely be able to verify that we have been attacked (as opposed to an accident). For most threats, however, we should not assume that it will be apparent that an attack has taken place. This is particularly true in the case of embedded malware used for stealing or corrupting information, since it can also be used for later disruption (as can most tools of espionage, cyber or otherwise). Thus, event detection can be more important than event response. Consensus around assumptions of event detection will inform where departments and agencies set priorities for actions and investments. These same assumptions will guide the government’s conversation with international and private-sector partners, in building consensus for norms. Thus, the ultimate success of the International Strategy depends to some degree on articulating these assumptions, and making sure they are thoroughly considered. Moreover, implementing and building consensus around the International Strategy should emphasize the embedded non-technical nature of the threat, ranging from insiders who are malicious, careless, or ignorant and naïve, to compromised, counterfeit, or suspicious products entering our cyber-supply chain. Similarly, responses to technical threats require a strategic, integrated, and non-technical approach. The problem of assuring reliability, integrity, and trust (in insiders, suppliers, manufacturing processes, etc.) is probably the least under-

[200] Georgetown Journal of International Affairs

stood risk in cyberspace. Restoring trust and reliability is generally more expensive, time consuming, and difficult than restoring service, and involves more than mere technical patches. Mitigating threats will call for significant nontechnical standards, actions, and partnerships that go beyond the traditional set of stakeholders in cybersecurity.

From Strategy to Stakeholders

The release of the International Strategy presents an opportunity to update concepts and means for identifying stakeholders in cyberspace and drawing zones of responsibility around them. In fact, it is crucial for the success of the strategy: implementing this strategy and building support for its norms will require setting and communicating expectations among nontraditional strategic stakeholders who will drive its success. The International Strategy rightfully commented on the need for innovative incentives for the private sector to fulfill national security goals. The challenge, of course, is how to achieve this. In order to create effective incentives, the U.S. government must precisely express the roles, responsibilities, and expectations that should be placed upon the private sector, and identify how they differ from what the private sector sees for itself. Here, subsequent activity and guidance from the White House can serve two purposes. First, it can clearly articulate the U.S. government’s perspective of where cyberspace issues become “governmental,” and where they should be the responsibility of the private sector. Second, it can be an instrument and a process in building trust, confidence, and cooperation between the govern-

DEVOST, MOSS, POLLARD, STRATTON

ment and private sector, as a beginning of a dialogue to draw lines of responsibilities and communicate mutual expectations. The U.S. government should use the International Strategy as a single transparent expression of the government’s intent, expectations, and priorities. Transparency is necessary, but not sufficient: the strategy process must draw lines of where government responsibility ends and private sector responsibility begins. The private sector must be actively engaged in this process. If the White House brings the private sector into the nuts and bolts of its strategy process, it will give both sides the chance to see, and test the feasibility of, each other’s expectations. At the least, it will result in a process more preemptive and deliberative, and less ad hoc and reactive only to near-term failures. In the past three years, private corporations and even individuals have provided the most effective and responsive models on dealing with single threats or vulnerabilities: for example, the Conficker/Downadup Working Group, and Dan Kaminsky’s effort to address critical DNS vulnerabilities. Yet the Y2K effort showed that the government can also take the initiative in models that leverage the best of both worlds: the creativity and responsiveness of the private sector, with the deliberation, resources, reach, and convening power of the U.S. government. The strategy process is the ideal forum in which to identify critical partners as stakeholders. It is an old truism that the private sector owns between 80 and 90 percent of critical infrastructures. Reaching out to the largest publicly traded companies in any given infrastructure sector is also

International Engagement on Cyber

necessary, but not sufficient, to reach the spectrum of stakeholders who play security roles in cyberspace. The issue is complex because influential (or vulnerable) stakeholders and businesses appear rapidly, and may disappear just as quickly. Moreover, their roles in economic or national security might not be as familiar or intuitive as those of an energy or telecommunications provider. Facebook presents a good example of the challenge of defining who is a stakeholder. There is disagreement over whether Facebook and other social networks are part of the “critical infrastructure,” even though Facebook has over 500 million active users and influences social issues, economic trends, and privacy in ways that are difficult to measure. Indeed, social networks have played a significant part in transforming the Middle East in 2011. In terms of both capability and sheer ubiquitous presence, social networking media platforms like Facebook are stakeholders in cybersecurity; to consider them otherwise denies the United States both a potential source of capability and an insight into vulnerability. On the other hand, such companies highlight, in single entities, the tensions among the norms and goals of the International Strategy: prosperity, openness, stability, and privacy. Implementation of the Strategy must balance the prioritization and pursuit of norms while incorporating all stakeholders, in order to mitigate the tensions that those very stakeholders might create by virtue of their existence. Certainly, this issue will come up as U.S. diplomats engage their interlocutors in less open countries.

[ 20 1 ]

ALL DONE EXCEPT THE CODING

Prosperity, Security, and ability. Of course, we want to reduce Openness: Pick Two The Inter- both threats and recovery time. But national Strategy’s goals of prosperity, security, and openness are interdependent. Put into practice, they may generate tension, if not mutual antagonism. This is especially true when international partners have fundamentally different perspectives about what constitutes a national security threat in cyberspace. There remain hard decisions at the national level, about what the United States wants to achieve against the International Strategy’s goals and norms, and at what cost to

resources are zero-sum and must be driven by priorities, which are based in part on assumptions, and generate expectations. In this regard there remains a gap between the International Strategy and U.S. government departments and agencies, that leaves unanswered questions of prioritization. At the departmental level, do we invest more in threat reduction and attack prevention, or in recovery and resilience? Do we seek to extend the time between failures, or to reduce

The International Strategy’s goals of prosperity, security, and openness are interdependent. other goals. These decisions go to the heart of the priorities and trade-offs that the U.S. must set to achieve realistic and balanced security – including economic security – in cyberspace. This illustrates the complexity of a “whole of government” approach in cyberspace: there must be decisions about which instruments of national power are best positioned to achieve certain goals, and what the costs and trade-offs of those instruments will be. If all goals are equally important, none is a priority. Cyberspace will always be an imperfect world. Attacks will happen, and despite pursuit of international norms, the United States must learn to function effectively in a cyberspace full of compromised networks, flawed systems, and vulnerable users, where risk will never reduce to zero and humans will continue to pose a primary vulner-

[202] Georgetown Journal of International Affairs

the time to recovery? What kind of failures should we be prepared to accept, especially if lowering the risk is more expensive than the failure itself? How do these answers change across departments, missions, or threats? The White House must support a directive process that provides policy guidance to departments and agencies on prioritizing between threat reduction and prevention on one hand, and recovery and resilience on the other: what these priorities mean, and how expectations and resources should flow from them, both in the government and the private sector. This latter point will form the foundation for a new set of norms for the private sector in managing and hedging between risk and resilience, and establishing assumptions about what, and when, government resources will be

DEVOST, MOSS, POLLARD, STRATTON

available. From this guidance, departments and agencies can better build strategies, plans, and investments. Privacy is another trade-off, since it is sometimes at odds with the goal of openness in cyberspace. The White House should take the lead in a national dialogue on privacy issues, to update public policy on privacy. For example, privacy invasion and risks of abuse are no longer the exclusive province of national governments. Privacy policy should also protect individuals who freely, but unknowingly, mortgage control over their personal information to a myriad of commercial third parties who have few incentives and fewer requirements to hold such information responsibly. Privacy law and policy are woefully outdated, as are many citizens’ assumptions about their personal information. In this environment, lack of clear statements on privacy and data retention guidelines or expectations have caused platforms like Facebook endless problems, and have even spawned competitors who promise better privacy. The President should begin a dialogue that helps stakeholders to understand and begin to control the expectations and trade-offs among convenience, efficiency, privacy, and information responsibility. This will also be of immense help to diplomats and homeland security officials, as they continue to engage their foreign interlocutors in Europe as well as Asia on an issue where the United States stands virtually alone. However, the President alone cannot remedy privacy problems. Concurrently, Congress must modernize public policy principles in an era of e-commerce, social networking media,

International Engagement on Cyber

data mining and retention, and high premiums on information sharing.

Organization and Guidance U.S. departments and agencies will be the primary consumers of the International Strategy, and will build on its vision in order to provide better services to the public. Consequently, many departments and agencies will develop their own strategies, plans, and capabilities for operating in cyberspace, to implement the International Strategy and pursue its goals. With this truly “whole of government” approach to cyberspace, there remain key issues that require resolution at the national level, concerning roles and responsibilities, particularly with respect to DoD and DHS, both of which have significant leading roles in securing cyberspace. Here, two substantive issues call out for White House guidance that the International Strategy does not address. The first issue is securing the global supply chain. Both DoD and DHS have roles in protecting government supply chains and logistics systems from cyber attacks. This includes awareness of risks to the cyber-supply chain: malware and counterfeit products inserted into the supply chain from malicious actors upstream, which cause unintentional failures to – or even sabotage – systems that rely on software, firmware, and hardware. It is not feasible to inspect every line of code or every processor that goes into even the most sensitive government systems. However, risk management strategies and capabilities can mitigate the risk. DHS and DoD should work in tandem, but under an overarching top-down strategy that provides

[ 20 3]

ALL DONE EXCEPT THE CODING

guidance on common risk management approaches against this challenge. The second issue is the question of DoD support in response to a truly national cyber-crisis. Despite the wild rhetoric surrounding “cyberwar,” the material question is, what cyber events would definitively require a DoD response with its unique capabilities, what are those capabilities, when is the DoD the “lead” federal agency in response, and how does it provide its unique capabilities in support to civilian authorities, or even the private sector? Currently, the DoD has a qualitatively different level of capabilities to operate in cyberspace—offensively and defensively—than any civilian department or agency, yet there is a finite number of rather extreme scenarios in which a crisis would demand a DoD response beyond the capacity of any civilian agency. Unless a nation state is behind the attack or the attack focuses solely on defense targets, the DoD would operate in a supportive role similar to its support of civilian authorities in the event of a natural disaster. This is one of the primary reasons behind the close integration and coordination of USCYBERCOM personnel with DHS personnel. Supporting civilian authorities in cyberspace will not be like supporting civilian authorities in real-world disasters. The government will not be able to draw a border around the disaster area, and thus will have a more difficult time gauging the extent of the damage and the unintended consequences of response measures outside the immediately affected “zone.” These unintended consequences might affect privacy, movement, or economic issues of pri[204] Georgetown Journal of International Affairs

vate and international actors seemingly “outside” the disaster zone. Indeed, it is not clear who has the primary legal authority below the Presidential level, to declare a “disaster” analogous to a governor in a natural disaster, and what the role of corporate leadership should be. Yet there is little policy guidance, let alone an enabling legislative framework like the Stafford Act, that provides for defense support to civilian authorities and the private sector in cyberspace. A national strategy should articulate how to expand the capabilities USCYBERCOM into a truly national resource. This White House coordinator should work with DoD, DHS, and other key stakeholders to articulate situations in which a military response would be necessary, when it would be in support of civilian authorities (perhaps even specifically which agencies), and what operational command and accountability lines different agencies should follow. Additionally, the White House should update its legislative package sent to Congress to call out where the legislative framework and consequent authorities are insufficient to enable DoD to come to the aid of civilian agencies. Given that such a response would likely cross international borders quickly, the International Strategy can be a useful device to extend U.S. defense in cyberspace beyond our borders, in the spirit of support to both civilian authorities, the private sector, and international partners, when their own vulnerabilities pose a hazard to the United States.

Interagency Effectiveness and Coordination No one likes having homework graded. Yet, measur-

DEVOST, MOSS, POLLARD, STRATTON

ing departmental and agency progress against national objectives is necessary to track improvements and to ensure that the “whole of government” effort is well tuned and making the nation safe and prosperous. To implement the International Strategy, the White House should produce a roadmap and general benchmarks against which departments, agencies, and other stakeholders can measure whether activities, resources, and investments are progressing and consistent with priority activities established in the Strategy. Strategic-level benchmarks will address strategic effectiveness at an enterprise level, beyond simple technology acquisition and will reduce dependencies on technical remediation or meaningless compliance thresholds (e.g., agencies being graded on how many firewall or anti-virus licenses they buy). Moreover, any strategy will be a snapshot in time; as strategy iterations mature, national leadership will be able to identify what works and which national activities are moving the private sector or international community toward consensus around norms. Perhaps the greatest utility for the International Strategy is its use as a tool for the White House Coordinator. This is most apparent at the nexus of national security, economic development, and trade policy. Coordination is critical among the Cybersecurity Coordinator, the National Security Staff, the National Economic Council, and the U.S. Trade Representative. Presidential direction from the International Strategy can enhance coordination by providing the Coordinator with a tool to assist the departments and agencies, by presenting

International Engagement on Cyber

them with values, goals, and top-level guidance. Indeed, as the Coordinator can articulate the cyber aspects of what the U.S. government is prepared to do to defend U.S. businesses on the world trade stage, he can serve a primary role as proponent of America’s competitiveness in cyberspace. This is where practical tensions arise and require White House coordination, not only among prosperity, security, and openness, but among policies for cyberspace, economic development, national security, and trade. For example, does the World Trade Organization framework offer adequate protection against obvious intellectual property theft and unfair competition today, and how can U.S. trade policy compensate? What are the economic and national security considerations and trade-offs? What can the national security community offer the trade community in protecting IP while pursuing commerce in the globalized marketplace? Are we finally at the point where our intelligence community has something to offer, such as defensive advice or due diligence, to American corporations? These questions present difficult choices, and future policies will require careful and transparent deliberation, balance, and coordination among stakeholders and regulatory regimes. Unintended policy interactions and consequences can weaken America’s overall cybersecurity posture as well as economic strength. For example, tight encryption export controls can adversely affect the ability of business and financial sectors to protect their information. Economic policies intended for intellectual prop[ 20 5]

ALL DONE EXCEPT THE CODING

erty protection can impact security research, as has been the case with the Digital Millennium Copyright Act and anti-circumvention/reverse engineering prohibitions. Cost-of-entry of software patents has driven some innovators out of Silicon Valley and into overseas innovation hubs. To the extent that we add risk or cost to private sector cybersecurity research and development, we are likely to drive capabilities and markets overseas. The White House Coordinator for Cybersecurity will not solve these problems, but can provide the process and discipline to translate the International Strategy into actionable guidance and priorities across cyberspace norms as well as U.S. security, economic development, and trade goals. Furthermore, the Coordinator can ensure that the aggregate efforts of the United States reflect the best possible trade-offs while building international consensus around norms, while ensuring that government actions are coordinated, integrated, and prioritized to maximize the nation’s economic and national security.

tive package presented to Congress on 12 May 2011, Obama noted that the last Congressional session introduced approximately fifty cyber-related bills, including some comprehensive ones. As broadly as the President’s vision covers cyberspace, it is the vast number of Congressional committees that might claim jurisdiction over the matter. Congress should be as bold as the White House and streamline how it exerts oversight on different aspects of cyberspace. Congress should reform its oversight, both structurally and substantively, to better address the spectrum of challenges in cyberspace. While there will be no single Committee in either House with plenary and sole jurisdiction over cyberspace, a good start would be to reform oversight and organization over those departments and issues that have significant responsibilities or implications in cyberspace, especially in homeland security, intelligence, and foreign relations and trade. This will come to a head if there is a significant incident. In responding to every modern crisis thus far, the United States has acted consistently in one respect: it forms a commission. Congress Congress must act to This will likely be the case in response update public policy and legislation on to a catastrophic cyber event. In that both substantive (privacy) and admin- case, such a commission would likely istrative (authorities) issues. This is be needed just to manage effectively beyond the authority of the President, the number of queries from the lawand it highlights another element of makers on committees with jurisdicthe complexity of this issue. There is a tion. Here, the authors see this type myriad of committees and subcommit- of commission as sharing the unfortees with jurisdiction over DHS, DoD, tunate lament of the Commission on and the Intelligence Community, in the Prevention of Weapons of Mass addition to economic activities, diplo- Destruction Proliferation and Terrormacy, development, law enforcement, ism: “One consequence of Congress’s science and technology, commerce, failure to adapt to the evolving nature etc. In the President’s own legislaof national security threats is the out[206] Georgetown Journal of International Affairs

DEVOST, MOSS, POLLARD, STRATTON

International Engagement on Cyber

sourcing of national security oversight that he intends to meet this generato external commissions like this one.”7 tion’s “Sputnik” moment with a policy of massive investment in research, Conclusion The Internation- development, and innovation that “we al Strategy for Cyberspace gives the haven’t seen since the height of the United States a solid vision for norms Space Race,” referring to the Soviet of behavior to make cyberspace pros- Union’s surprise launch of their Sputperous, secure, and open. Now the nik satellite. As in the Space Race, government needs a plan for imple- the U.S. President has tied economic mentation. Despite the clarity of the progress, technological innovation, President’s vision, different agencies and national security to an implied will have differing interpretations of set of national priorities, in response strategies, authorities, and priorities. to an external economic and politiInteragency coordination—a primary cal threat. Now we are in a race for challenge in cybersecurity—fails with- innovation in cyberspace. As President out implementation and accountabil- Obama said, “after investing in betity. Departments and agencies will be ter research and education, we didn’t responsible for engaging international just surpass the Soviets; we unleashed partners and can use different sets a wave of innovation that created new of incentives to build consensus with industries and millions of new jobs.” their counterparts. The private sector Unlike in the Sputnik era, howis also a critical partner, but cannot ever, the costs and barriers of stealbe expected to respond to the same ing our innovations are significantly incentives as government agencies or lower than the costs of that innovation. international partners. Implementa- Genius flows from networks, but our tion is key to reconciling these poten- ability to network has always outpaced tial points of divergence and tension. our ability to protect the network. Furthermore, this Strategy should The priority of the President’s policy be considered a snapshot of a point should be to create security around in time: it should be updated regu- our genius, to ensure that we realize larly, given the enormous, dynamic, the full extent of return on investand uncertain rate of change in tech- ment, and to position the country nologies, threats, opportunities, and against whichever competitors proprogress toward the Strategy’s vision. voke a Sputnik moment, by whatever President Obama announced in means they choose to compete with us. his 2011 State of the Union Address

[ 20 7 ]

ALL DONE EXCEPT THE CODING

Matthew G. Devost is President & CEO of FusionX, LLC, a cybersecurity consultancy. Additionally, Mr. Devost has been an Adjunct Professor at Georgetown University since 2002, where he teaches a graduate course on Information Warfare and security, and is a Founding Director of the Cyberconflict Studies Association. Mr. Devost co-founded the Terrorism Research Center, Inc. (TRC) in 1996, where he served as President and CEO until November 2008.

Neal A. Pollard is a Director at PricewaterhouseCoopers. He is also Adjunct Senior Fellow for Cyber Policy at the Federation of American Scientists, and Adjunct Professor at Georgetown University. Previously, he was a senior officer in the Office of the Director of National Intelligence, International Affairs Fellow of the Council on Foreign Relations, and General Counsel and Board Director of the Terrorism Research Center, a corporation he co-founded in 1996.

Jeff Moss has been a hacker for over twenty years. He is currently Vice President and Chief Security Officer of the Internet Corporation on Assigned Names and Numbers (ICANN). He is also the Founder and Director of Black Hat and DEF CON Computer Hacker Conferences. He currently serves as a member of the U.S. Department of Homeland Security Advisory Council, and is a member of the Council on Foreign Relations.

Robert J. Stratton III is an independent consultant specializing in multinational network security. Previously, he was Director of Government Research at Symantec Research Labs, co-founder and Chief Technology Officer at StackSafe, the first Director of Technology Assessment at In-Q-Tel, co-founder and Chief Technologist at Security Design International, and founder of the security organization at UUNET, one of the first tier 1 Internet service providers.

NOTES

1 “International Strategy for Cyberspace,” The White House, Internet, http://www.whitehouse.gov/ sites/default/files/rss_viewer/international_strategy_ for_cyberspace.pdf (date accessed: 16 May 2011). 2 “Fact Sheet: Cybersecurity Legislative Proposal,” The White House, Internet, http://www.whitehouse. gov/sites/default/files/fact_sheet-administration_ cybersecurity_legislative_proposal.pdf (date accessed: 16 May 2011). 3 “Department of Defense Strategy for Operating in Cyberspace,” Defense Department, Internet, http://www.defense.gov/news/d20110714cyber.pdf (date accessed: 21 August 2011). 4 The White House, “International Strategy for Cyberspace” (May 2011), p. 14. 5 For a general description and assessment of this policy framework, see Lawrence J. Korb, “Development, Defense, and Diplomacy as a Policy Frame-

[208] Georgetown Journal of International Affairs

work,” Center for American Progress, Internet, http://www.americanprogress.org/issues/2009/03/ korb_africom.html (date accessed: 19 May 2011.) 6 The DHS Quadrennial Homeland Security Review defines the “homeland security enterprise” as “the Federal, State, local, tribal, territorial, nongovernmental, and private-sector entities, as well as individuals, families, and communities who share a common national interest in the safety and security of America and the American population.” Given the pervasive nature of modern IT networks, and the ability of individuals to rapidly form and dissolve communities of interest, this seems to the authors a reasonable list of stakeholders and levels at which policy should operate. 7 Senator Bob Graham et al, World At Risk: The Report of the Commission on the Prevention of WMD Proliferation and Terrorism (New York: Vintage Books, 2008), p. 90.

The Geo-Political Strategy of Russian Investment In Facebook and Other Social Networks Jeffrey Carr There is a troika of powerful individuals fueling the growth of the Russian Internet and Russian investments in cyberspace while serving the interests of the Kremlin. They are Gleb Pavlovsky (founder, Foundation for Effective Politics), Vladislav Surkov (Deputy Chief of Staff of the President of the Russian Federation), and Yuri Milner (CEO, DSTGlobal, Inc.). Their genesis of power and influence began in the mid-nineties when the Russian Internet was still in its infancy. Now, as regime change sweeps across Northern Africa and the Middle East and is broadcast live on Twitter, Facebook, and YouTube, Internet-savvy politicians and businessmen are the new power brokers in the Kremlin.

Jeffrey Carr is the founder and CEO of Taia Global, Inc., an Executive Cyber Protective Services company, and the author of Inside Cyber Warfare (O’Reilly Media, 2009).

Gleb Pavlovsky The 1990s were the formative years of

the Russian Internet (Runet), which was led in part by Gleb Pavlovsky and his Foundation for Effective Politics. Pavlovsky saw the value of a Russian Internet early on and was instrumental in creating the first Russian online news magazine, Russkiy Zhurnal, and helped to organize and fund the creation of Lenta.ru, Gazeta.ru and other news sites. He served on four Presidential election campaign staffs in 1996, 2000, 2004, and 2008. Pavlovlsky’s book publishing house, Yevropa, published “Khroniki Informatsionnoy Voynyby” (Information

[ 20 9]

THE GEO-POLITICAL STRATEGY OF RUSSIAN INVESTMENT

Warfare Chronicles) by Maksim Zharov and Timofey Shevyakov, which documented the online attacks between Russian and Georgian hackers during the five-day war of August 2008.1 The book opens with the following paragraph: “Net wars have always been an internal peculiarity of the Internet — and were of no interest to anyone in real life. The five-day war showed that the Net is a front just like the traditional media, and a front that is much faster to respond and much larger in scale. August 2008 was the starting point of the virtual reality of conflicts and the moment of recognition of the need to

tions made it official. He is considered the Chief Ideologue of the Kremlin and is an ardent supporter of online activism in support of the interests of the Russian Federation and the United Russia party. After Kyrgyzstan’s 2005 Tulip revolution, Surkov founded a youth organization called Nashi (“Us”), whose purpose was to support then-President Putin and the United Russia Party against counteropposition groups— both physically and in cyberspace. The Nashi is funded in part by the Federal Agency for Youth Affairs headed by co-founder Vasily Yakemenko.4 On 21 May 2009, Russian Presi-

There is a troika of powerful individu-

als fueling the growth of the Russian Internet and Russian investments in cyberspace while serving the interests of the Kremlin. wage war in the information field too.” As of 27 April 2011, Pavlovsky and the Foundation for Effective Politics have fallen out of favor with the Kremlin for political reasons related to the upcoming 2012 Presidential election. According to the RIA Novosti website, Vladislav Surkov personally terminated EPF’s contract.2

Vladislav Surkov Vladislav Surkov,

known as the “Grey Cardinal” and the “Dark Prince of the Kremlin,” worked for Mikhail Khodorkovsky at Bank Menatep from 1991 to 1996.3 In 1999, Surkov became Deputy Chief of Staff of the President of the Russian Federation—the same year that Boris Yeltsin resigned and Vladimir Putin became acting President until the 2000 elec-

[210] Georgetown Journal of International Affairs

dent Dmitriy Medvedev signed an edict creating a presidential commission for the modernization and technological development of the Russian economy. Medvedev is chairman, and Vladislav Surkov is one of two deputy chairmen (Sergey Sobyanin, Chief of Government Staff and Deputy Prime Minister, is the other). Yuri Milner is the only non-governmental employee who serves on this commission, which makes his inclusion in it highly significant.

Yuri Milner After graduating from

the Wharton School of Business with an MBA, Yuri Milner worked in Washington, D.C. for the World Bank until the Spring of 1995 when he was recruited by Mikhail Khodorkovsky to run

CARR

his investment brokerage company, Alliance-Menatep. In February 1997 Milner became Deputy Chairman and Head of Investment Management for Bank Menatep.5 During the next two years, Milner was involved in evaluating investment opportunities for the bank and, in particular, Internet properties. While at Menatep, Milner formed New Trinity Investments. When the bank lost its license in 1999 for financial misconduct (Khodorkovsky is currently serving time in a Russian prison), Milner branched out on his own and launched an Internet services company called NetBridge in 2000, which was most likely funded through New Trinity.6 In February 2001, NetBridge merged with another Internet company (Port.ru) and became Mail. ru, which, ten years later under Milners’s leadership, earned almost U.S. $1 Billion in its Initial Public Offering (IPO) on the London Exchange. Mail.ru was originally the press service for a large Russian conglomerate called Neftyanoy Concern, which is a major holding company with investments in the financial (Neftyanoy Bank), energy, real estate, food, and Internet sectors. In 2003, Milner moved from the position of CEO/Chairman of Mail.ru to Director General and Chairman of the Board for Neftyanoy Concern. In 2005, Neftyanoy bank was charged with money laundering and its CEO, Igor Linshits, eventually fled the country. Milner was not charged with any wrongdoing, but this period of his life was not disclosed in the Goldman Sachs prospectus for the Mail.ru Group IPO, nor was it mentioned in his bio at the former Digital Sky Technologies website.

International Engagement on Cyber

2005: A Turning Point 2005 was

a pivotal year for the Russian government. Longtime evangelists Pavlovsky and Surkov had a concrete event (the Tulip Revolution) that would substantiate the need for investment in Internet technologies by the Kremlin.7 In a June 2005 interview with The St. Petersburg Times, Surkov said that there would be no Orange revolution in Russia. “There will be no uprisings here,” said Surkov, who oversees the Kremlin’s relations with political parties, parliament and youth organizations. “We realize, of course, that these events have made an impression on many local politicians in Russia — and on various foreign nongovernmental organizations that would like to see the scenario repeated in Russia.”8 2005 was also the year that Yuri Milner left Neftyanoy Concern and founded Digital Sky Technologies (DST) with co-founder Gregory Fingar of New Century Investments. From 2005 forward, the Russian Internet was not only just a place to do business. It had also become a new warfighting platform from which attacks could be launched against both external and internal opponents with complete anonymity. Thanks to the enormous popularity of social networks worldwide—the very networks in which Milner and DST were investing—the Russian Internet also came to provide a selffunding open source intelligence operation for the Russian Security Services. As investments ramped up, so did the Kremlin’s use of cyberspace as an attack platform. Kyrgyzstan (2005), Estonia (2007), Georgia (2008), and possibly Kyrgyzstan again (2009) represent four well-known examples of Internet-based attacks against external opponents.

[ 21 1 ]

THE GEO-POLITICAL STRATEGY OF RUSSIAN INVESTMENT

However, the Russian Internet was also being used to control internal dissent. In March 2009, Vladislav Surkov organized a conference of Russia’s top bloggers to announce a new Internet strategy for influence operations. According to The New Times Online, “[t]he aim of the conference is to work out a strategy for information campaigns on the Internet. It is formulated like this: ‘To every challenge there should be a response, or better still, two responses simultaneously,’ a source who is familiar with the process of preparations for the meeting explained. ‘If the opposition launches an Internet publication, the Kremlin should respond by launching two projects. If a user turns up on LiveJournal talking about protests in Vladivostok, 10 Kremlin spin doctors should access his blog and try to persuade the audience that everything that was written is lies.’”9

DST and the Kremlin In May 2009 Yuri Milner was simultaneously promoted to a Presidential commission (May 15) and closed his first $200 million investment in Facebook (May 26).Six months later, as he contin-

of illegal content on Runet.10 Oddly, when this information was made public in a blog posting at Forbes.com by the author, Milner’s attorney sent a letter to Forbes’ Managing Editor that flatly denied that his client had ever served in such a capacity. “Mr. Milner has never led or been involved in a Ministry of Communications effort to crack down on illegal content on RUNET.”11 Milner’s reaction to the author’s post—which Forbes immediately removed upon receiving the complaint without conducting any fact-checking— demonstrates how carefully he manages publicity related to his background, and particularly, anything that would reveal his close relationship with the Kremlin. Even DST’s website has changed from a multi-page site which listed all of DST’s Internet properties to a single page (www.dst-global. com) with nothing but the name DSTGlobal, Inc. and an email address. In 2010, DST made a series of investments in U.S. social networking companies, including Zynga, Groupon, and ICQ, though Facebook remained its primary interest. After DST’s initial $200 million investment, the company

Thanks to the enormous popularity of

social networks worldwide...the Russian Internet also came to provide a self-funding open source intelligence operation for the Russian Security Services. ued to make investments in U.S. social media companies, he was appointed to an almost yearlong project by the Ministry of Communication and Information to analyze the scale and distribution

[212] Georgetown Journal of International Affairs

launched a tender offer of $100 million for Facebook employees’ stock. Then, in January 2011 DST co-led a $500 million round with Goldman Sachs to become one of Facebook’s largest insti-

CARR

International Engagement on Cyber

tutional investors, owning approximately 10 percent of the company.12 DST and its partners stand to profit greatly from Facebook’s inevitable IPO, which is predicted to occur in 2012 or 2013.13 In the meantime, on 5 November 2010 DST changed its name to Mail.ru Group and raised almost U.S. $1 billion in an IPO on the London Stock Exchange.14 The company created a new investment company called DST-Global “to continue to focus on Internet investments.”15 A few months later, the Russian government announced that Mail.ru Group’s CEO, Dmitry Grishin, would be serving as a member of the newly formed League of Internet Safety, which was created under the auspices of the Ministry of Communications and led by its Minister, Igor Shchyogolev. The League’s primary purpose is to fight against child pornography (and eventually, other “negative” content) by recruiting thousands of volunteers to act as informal Internet police. The likelihood of such a system being used to restrict freedom of expression—as is currently the case with Runet—has not gone un-noticed by Russian journalists and bloggers, who fear that the League’s activities will lead to the same kind of censorship found in China.16

tee in Vladikavkaz, North Ossetia on 22 February: “They prepared such a scenario for us previously. And now they will try to put it into practice. But, in any case, this scenario will not succeed.” President Medvedev did not specifically identify the “they” during the discussion; however, Russian press quickly tied the “they” to Russian unease over the West’s role in the color revolutions in Georgia, Ukraine, and Kyrgyzstan in the 2000s. Russian press—of which the Moscow Times is the most prominent—pointed to increased discussion on Russian regime change that is taking place on LiveJournal, Facebook, and Twitter. Moscow Times pointed out that all three of these social media outlets are believed to have served as mobilizing tools for protesters in North Africa, and especially in Egypt. Deputy Prime Minister Igor Sechin endorsed Moscow Times’ views by naming Google as a force behind the regime change in Egypt. Speaking to the Wall Street Journal, Minister Sechin said that “[o]ne should examine closer the events in Egypt, to look into what high-profile Google managers had been doing in Egypt, what kind of manipulations with the people’s energy had taken place there.”17 The most expansive view, however, is The Facebook Revolution If that espoused by Militia Major-General the Tulip Revolution of 2005 caused Vladimir Ovchinskiy, former chief of Vladislav Surkov to take steps to ensure the Russian Interpol Bureau, and curthat the Orange Revolution would not rently an adviser to the Russian Federacome to Russia, the social media-fueled tion Constitutional Court Chairman. revolutions in Egypt, Tunisia, and Leb- In a 3 March interview with Moscow anon must surely be having an impact Komsomolskaya Pravda Online, Genon the Kremlin. Russian President eral Ovchinskiy argued that the cyber Dmitry Medvedev succinctly expressed aspects of recent events were orcheshis view on this topic at a session of the trated by the heads of major WestNational Counter-Terrorism Commit- ern technology companies to support

[ 21 3]

THE GEO-POLITICAL STRATEGY OF RUSSIAN INVESTMENT

Administrations’ political objectives. General Ovchinskiy insinuates that a “secret” White House luncheon with the heads of Facebook, Apple, Google, Twitter, Yahoo!, Netflix, and Oracle that was held after Mubarak’s resignation celebrated recent American success. According to General Ovchinskiy, the President was expanding on Internet techniques that had been developed during the 2008 campaign: “Barack is striking while the iron is hot and is hastening, with the assistance of modern technology, to extend his TunisianEgyptian victory to other countries of the region and further across the world.” In response to the perceived role of social networking sites in facilitating revolution, the Federal Security Service (FSB) and Ministry of Internal Affairs (MVD) are proposing Criminal Code amendments that would make the owners of online social networks responsible for content posted on their sites, according to a 2 March St. Petersburg Times article.17 The article states that the amendments would force sites to record internal passport data for each registration, which would facilitate identification of individuals using the site. The article points out that both the FSB and MVD maintain components that operate on the Internet (MVD Directorate K and FSB Information Security Center) to identify “extremist” elements. The St. Petersburg Times article points out that the recently passed Police Law also contains vague language authorizing police to order any organization to change or stop operations that contribute to criminal activity in any way.

[214] Georgetown Journal of International Affairs

Conclusion Social networking ser-

vices are not constrained by national borders. Facebook has almost 600 million members, with a majority residing outside of the United States. DST already owns or controls most of Russia’s social networks, and, together with its partners Tencent and Naspers, they dominate social media worldwide. This provides a unique platform for the Russian government to conduct influence operations, intelligence collection, and information warfare through the unique political environment that exists inside the Russian Federation, where relationships are built upon usefulness and end when that usefulness ends (e.g., Pavlovsky’s recent contract termination by Surkov). A timeline of recent highprofile investments by DST shows a corresponding government affiliation with the company shortly before or after. Facebook Investment May 26, 2009: $200 million.

May 21, 2009: Milner serves on Presidential Commission. Nov, 2009: Milner leads Ministry of Communication survey of illegal content on Runet.

ICQ Investment April, 2010: DST buys ICQ from AOL and receives $300 million investment from Tencent.

August, 2010: Milner serves on Government Commission on High Technology, chaired by Putin.

CARR

International Engagement on Cyber

cessful business model. It is worth noting, however, that none of the investNov, 2010: Mail. Feb, 2011: Mail.ru ment prospecti or company biographies ru group IPO raises Group CEO Grishin U.S. $1 billion on sits on board of new reviewed for this paper contain any London Exchange. League of Internet information about Milner’s activities Safety. on behalf of the Russian government, nor his time at Neftyanoy or Menatep, Today Yuri Milner and DST-Global nor how he managed to avoid being are seeing unparalleled success in Sili- investigated when the other principals con Valley. Every new start-up that at both firms were found guilty. Both graduates from the technology incuba- investors and business partners of DSTtor Y-Combinator receives $150,000 Global and DST-Global 2 should be from DST. Traditional venture capital- fully informed of the relationship that ists have had to revise their term sheets the company and its officers have with because of DST’s generous deals. A the Russian government, because the new investment vehicle (DST-Global Kremlin is certainly interested in them. 2) has been set up for Western investors to take advantage of DST’s sucMail.ru Group IPO

NOTES

1 “It’s Not Just a Virtual Country,” The New Times Online, Internet, http://.newtimes.ru. 2 “Kremlin Tears Up Contract with Pavlovsky Think Tank,” RIA Novosti, Internet, http://en.rian.ru. 3 “Surkov: Dark Prince of the Kremlin,” RIA Novosti, Internet, http://enrian.ru. 4 “Spin Doctor of All Russia: Vladislav SurkovThe Man with a Thousand Faces,” RIA Novosti, Internet, http://en.rian.ru. 5 “Two Economic Commissions: President vs. Cabinet?,” Politkom, Internet, http://.politcom.ru. 6 New Trinity Investments is probably the vehicle for Milner’s first investment in Netbridge in 2000 since New Trinity Investment’s listed phone number also tracks to Netbridge. 7 “Special Report: Kyrgyzstan,” Open Net Initiative, Internet, http://opennet.net/special/kg/. 8 Anatoly Medetsky, “Surkov Says No Orange Revolution in Russia,” The St. Petersburg Times, Internet, http://www.sptimes.ru/story/83. 9 “Kremlin Ideologist Surkov Reportedly to Meet Bloggers to Plan Internet Strategy,” The New Times Online, Internet, http://newtimes.ru. 10 “Yuri Milner Will Clean Up the Internet,” InFox, Internet, http://infox.ru. 11 Email from Daniel Tench to Lewis Dvorkin re: Jeffrey Carr’s Forbes Article “Facebook Investor Leads New Russian Internet Police” (11 Feb 2011).

12 Joseph Menn and Charles Clover, “Man in the News: Yuri Milner,” Financial Times, Internet, http://www.ft.com. 13 Alexei Oreskovic, “UPDATE 2 -Facebook IPO Likely After Late 2012,” Reuters, Internet, http:// www.reuters.com/article/2010/09/27/facebookidUSN2717146120100927. 14 John Bonar, “Russia’s mail.ru IPO a resounding success on London exchange,” BSR Russia, Internet, http://www.bsr-russia.com/en/mergers-acquisitionsa-ipos/item/1109-russias-mailru-ipo-a-resoundingsuccess-on-london-exchange.html. 15 “Digital Sky Technologies (“DST”) Changes Name to Mail.ru Group,” Reuters, Internet, http://www.reuters.com/article/2010/09/16/ idUS43356+16-Sep-2010+BW20100916. 16 Kevin O’Flynn, “Russia Launches Initiative to Police the Internet,” Radio Free Europe/Radio Liberty, Internet, http://www.rferl.org/content/russia_ laimches_initiative_to_police_internet/2301671.html. 17 “Russian Reaction to Cyber’s Influence Upon Middle East Unrest, Taia Global, Internet, http://70.40.221.227/2011/06/28/russian-reaction-to-cybers-influence-upon-middle-eastunrest/. 18 Andrei Soldatov, “Kremlin’s Plan to Prevent a Facebook Revolution,” The St. Petersburg Times, Internet, http://www.sptimes.ru/index.php?action_ id=2&story_id=33645.

[ 21 5]

Privacy Assurance J.C. Smart Two pillars of a democratic society â&#x20AC;&#x201C; Security and Liberty â&#x20AC;&#x201C; are challenged by the post-9/11 world. How can an open democracy sustain the former without infringing on the latter? A governmentâ&#x20AC;&#x2122;s ability to collect, process, analyze, and share volumes of information is commonly regarded as central to its national security. But these needs, driven by a desire to detect and prevent attacks against itself and its allies, increasingly conflict with its constitutional protections of individual liberties. Current public opinion usually frames this debate as a tradeoff, balancing the sacrifice of some liberties against real or perceived gains in security. No end to this debate is in sight. But this paper posits that security and liberty are not mutually exclusive. Rather, it proposes a method that enables both to be achieved simultaneously, through the careful application of policy and modern technology. This concept is referred to here as Privacy Assurance.

Information Sharing The sharing of information

across legal and jurisdictional boundaries supports national security and analytic tradecraft; the 9/11-hijackers were not only connected via airline data and other transactional records, but in at least two cases by threat information

[ 2 1 6 ] Georgetown Journal of International Affairs

Dr. J.C. Smart is the Chief Technologist for the Intelligence and Information Systems (IIS) business at Raytheon, where he is responsible for leading advanced technology research and development for Intelligence Community and Homeland Defense/ Security applications. Prior to joining Raytheon, Dr. Smart served as the Senior Technical Director of the National Security Operations Center (NSOC) at the National Security Agency, Department of Defense

SMART

already maintained by the U.S. intelligence community as well. This process has been popularized as “connecting the dots.” But localized information “stovepipes” maintained by individual organizations often are not sufficiently rich in their content to discern the complex network of associations and connections across multiple jurisdictions that realistically describe contemporary threats. In contrast, such patterns often are quickly revealed when these otherwise disparate information sources can be merged and analyzed in aggregate. Unfortunately, the merging of information sources can quickly exceed the respective authorities of participating organizations, creating new threats to individual liberties and personal privacy. Alternatively stated, it often may be in the best interests of individual organizations spanning various legal and jurisdictional boundaries to share information, but there may not be adequate trust among the participants, or authority from the citizenry under whom they serve, to allow such sharing. This mistrust can arise from the fear of misuse, insufficient oversight, fear of the exposure of sensitive information, sources, and methods, or the increased risk of unintentional exposure. Trust issues aside, privacy policy in the United States today mandates data minimization. Furthermore, privacy policy dictates that civilian agencies should only collect personally identifying information (PII) that is directly relevant and necessary to accomplish the specified purpose of its collection; only retain PII for as long as is necessary to fulfill the specified purpose; and only share data with other agencies when compatible with the

International Engagement on Cyber

purpose for which it was collected. Moreover, U.S. citizens are afforded a fundamental right to be “secure in their persons, houses, papers, and effects, against unreasonable searches.” Is it possible to achieve the security goal without eroding privacy rights? The Privacy Assurance approach takes the Fourth Amendment to the United States Constitution as a basic system requirement. Within this framework, U.S. law defines “reasonable suspicion” as the standard of law, based on specific and articulable facts and inferences, under which a person may be regarded as being engaged in criminal activities, having been engaged in such activity, or about to be engaged in such activity. Reasonable suspicion is the basis for investigatory stops by the police and requires less evidence than probable cause, the legal requirement for arrests and warrants. Reasonable suspicion is evaluated using the “reasonable person” or “reasonable officer” standard, in which an officer in the same circumstances could reasonably believe a person has been, is, or is about to be engaged in criminal activity. Such suspicion is not simply a hunch. A combination of particular facts, even if each is individually innocuous, can form the basis of reasonable suspicion. This is pivotal to Constitutional law enforcement and to the method for assuring privacy that is laid out below. It describes how reasonable suspicion can be ascertained from multiple information sources without resorting to unreasonable search. Unreasonable search is interpreted here as any type of investigative process that would reveal information that a reasonable person would regard as private prior to the

[217]

PRIVACY ASSURANCE

establishment of reasonable suspicion degree of probability asserted as reaor probable cause, and thus protected. sonable by a community of such experts. What good is a Black Box? AssumPrivacy Assurance So how can rea- ing the existence of such a device, it sonable suspicion be ascertained from then is possible to “share” informamultiple information sources without tion in unique and powerful ways. resorting to unreasonable search? The Figure 1 below illustrates the basic Privacy Assurance approach posits the privacy assurance configuration. At the existence of a “Black Box.” In this con- top center of the diagram is the “Black

The sharing of information across

legal and jurisdictional boundaries supports national security and analytic tradecraft. text, a Black Box is a physical (or logical) device whose contents are beyond reach: they can never be examined. The device is specifically engineered so that the information it is fed cannot be revealed to anyone, regardless of authorization, executive privilege, court order, vandalism, or deliberate attack. Information can flow into the Black Box, but once it resides within its boundaries, it can never be accessed. For all practical purposes, the Black Box is impenetrable. Total impenetrability implies a theoretical extreme that likely would be difficult to achieve, or even more important, to verify or accept in the negative. Consequently, this paper takes impenetrability as the condition in which there exist no known exploitable vulnerabilities that would enable access to the contents of the Black Box. While vulnerabilities may exist, an impenetrable Black Box is one about which a group of reasonable, qualified technical experts will testify that any vulnerabilities inherent in the device’s design have been mitigated, using reasonable techniques to assure its security to within a

[ 2 1 8 ] Georgetown Journal of International Affairs

Box” construct. Across the bottom are representations of independent organizations that span multiple legal and/ or jurisdictional boundaries. Each of these organizations via their respective legal charters is authorized to maintain a specific body of information, represented by the colored “dot” networks depicted within each. These information “dots” are connected via “links” that represent relationships that the organization has discerned and maintains, consistent with its legal authorization. The legal charter of each organization may limit its ability to access or share information and thereby identify the corresponding relationships across the established boundaries. Sharing this information across such a boundary could in fact constitute a breach of law or, alternatively, a breach of public or congressional trust or acceptance. Nevertheless, if such organizations were actually able to share their information, new patterns and relationships within the information could be identified from analysis. New patterns of suspicious activity that might impact nation-

SMART

International Engagement on Cyber

Figure 1: The Privacy Assurance “Black Box” al security could be identified and acted upon. This information would constitute “actionable intelligence.” The solution offered by this approach involves placing relevant information from each contributing organization inside of the Black Box. Information can then be connected and processed, but without the possibility of human examination or disclosure. The methods used to do this are well established in contemporary analytic tradecraft; techniques such as graph analysis, for example, can discover relationships among billions of data elements. But if the Black Box is designed to be “non-queryable” by any means, how then can it be of any value? To address the utility question, the Black Box also has exactly one additional input (on the left in Figure 1) and exactly one and only one output (located on the right). At the left interface, patterns of specific interest are input to the box. These patterns

are template-like encodings of generic information relationships that a duly authorized policy body has reviewed and approved for submission into the box. Put another way, the patterns are a set of analytical rules that define the Black Box’s reasonable search behavior. The only patterns that are admissible to the Black Box are those that the policy body has reviewed and has unanimously confirmed as meeting a certain threshold. In this case, the threshold is the set of observable conditions within the Black Box that meet the legal standard for reasonable suspicion. Within the Black Box – in addition to the information that it receives from each contributing organization and the patterns it receives from the policy body – is an algorithm that continuously searches for conditions that match any of the submitted reasonable suspicion patterns. Upon detecting such a pattern, the Black Box outputs an identifier for the pattern and a set

[219]

PRIVACY ASSURANCE

of identifiers for the information that triggered the patternâ&#x20AC;&#x2122;s detection. This is a continuous process. It is executed in real-time without human intervention, again leveraging current analytic tradecraft. Upon such a detection event, the contributing organizations would be notified of the particular identifiers. They then could investigate further, using their existing analytic capacities and legal structures. If permissible by law, additional information could accompany the output notification to expedite investigation. The specification for such auxiliary information is incorporated into the original pattern definition, enabling the policy body to review and approve, and to ensure privacy compliance.

been authorized to possess. Similarly, the only information that is ever outputted from the Black Box is that which has been deemed in advance to constitute reasonable suspicion and to meet the standards of reasonable suspicion.

Implementation Aspects The basic design of a Black Box is shown in Figure 2. Everything that flows into and/or out of the box must pass through a carefully designed interface that strictly limits access to a small set of well defined, hardware-enforced actions. External data sources (at the left side of Figure 2) are connected to the box via a set of input adapters. These adapters transform an input source into a set of unique information items and rela-

The Privacy Approach takes the Fourth

Amendment to the United States Constitution as a basic system requirement. All identifiers output by the Black Box would be available to the policy body, or alternatively, to a duly constituted oversight body, which would verify compliance continuously. In other words, while considerable information is flowing into the Black Box, the only aspect that would ever have external visibility is a reasonable suspicion output. In this manner, organizations and the citizenry they serve can receive the benefits of information sharing, but without exposing information to misuse or the risk of privacy invasion. The only information that can be submitted to the Black Box is information that at least one or more members of the participating organizations have already

[ 2 20] Georgetown Journal of International Affairs

tionships for representation and processing within the box. These items flow electronically into the box via input converters that transform the input source information into a set of distinct graph elements (i.e. a mathematical node/link structure). These elements are passed across the box boundary via a strict hardware protocol. Within the box, this protocol is processed via a set of interface isolators to ensure that the only operations that can ever be executed are those stated in the boxâ&#x20AC;&#x2122;s formal specification. As part of the implementation process, the design of this converter/isolator set is verified using formal techniques that provide methods to ensure proof-of-correctness of

SMART

International Engagement on Cyber

Figure 2: The “Black Box” Design the implementation. At the top of Figure 2, patterns that encode reasonable suspicion policy statements flow into the box via the same adapter-converter-isolator process. Patterns for submission to the box, however, must first be “compiled” from their source specification language (e.g. an English subset) before being passed through the pattern adapter. Within the box, patterns are again represented as a set of graph elements (i.e. templates). At the core of the Black Box is the trusted graph-processing engine. This engine is very carefully engineered to ensure that its pattern-matching algorithm cannot be modified in any fashion. Once developed, proven, loaded, and authenticated, this algorithm can never be changed without repeating the entire rigorous, monitored process. This is critical for preventing any type of accidental or adversary-assisted disclosure of private information from the box.

At the right side of Figure 2, patterns that are detected by the processing engine flow out through a similar process, but in reverse order. That is, triggered pattern identifiers and the associated reasonable suspicion information identifiers can only exit the box by passing through an interface isolator. Outside of the box, these items are converted into a form that is recognizable to an operator, or alternatively, into a form that can be processed by the contributing source organizations or investigating bodies that participate in the feedback/dissemination loop. The key aspect of this design is that regardless of what information may flow into the box, the only information that can ever exit is that which was approved and authorized by the policy body as meeting a reasonable suspicion pattern. Furthermore, the box itself is implemented in such a manner that these protections cannot be cir-

[221]

PRIVACY ASSURANCE

cumvented via tampering. Hence the implementation provides for no back doors, no overrides, no special authorizations, nor any inherent exploitable vulnerabilities within the limits of the formal verification techniques and assumptions used to specify, design, and engineer its correct operation.

Operational

protections, and certifications of the Black Box and its interfaces to ensure sustained operational system integrity. Finally, the pilot program will establish operational policies and procedures for identifying, protecting, and mitigating specific vulnerabilities across an end-to-end system deployment.

Considerations Conclusion The Privacy Assurance

The Privacy Assurance approach is based on existing, well-understood analytic tradecraft and proven, offthe-shelf technology components. While a proof-of-correct-operation is at hand, the full technical aspects of this approach are outside the scope of this paper. However, none of the constituent techniques and components described here are particularly new, distinctly novel, or technically unfounded. It is the careful configuration of these components and their unique operationalization within an existing policy framework that has not been attempted. Consequently, a pilot demonstration program is being pursued in partnership with government, industry, and academia to methodically address an intricate blend of policy and technology-related issues. The pilot program will configure a policy body and its associated processes for defining and authorizing patterns that would constitute reasonable suspicion. It will also seek to establish an oversight function or oversight body to monitor the operation of a Black Box configuration, including the auditing of input patterns and output notifications to ensure legal compliance. In terms of technology, the program will determine the specific configuration, operating procedures, physical and cyber [22 2] Georgetown Journal of International Affairs

approach enables organizations to share information in a manner that respects and embraces individual privacy rights. Although discussed here within a privacy policy context, the Black Box approach is applicable to a diverse spectrum of information sharing challenges. As noted, the patterns are simply analytical rules that can be changed like any filter. This means that the Black Box methodology could be applied to facilitate other types of information sharing by intelligence agencies, thus overcoming traditional obstacles to cooperation, such as concerns about protecting underlying data, sources, and methods, as well as varying standards for data and metadata. Within a highly compartmented organization, this approach would enable information to be aggregated and analyzed without risk of compartment compromise. At an international level, the Black Box approach would enable countries to share and analyze highly sensitive information, perhaps of a treaty- or compliance nature, without exposing protected concerns or individual violations. Numerous other applications, ranging from health records management and compliance with HIPAA to personnel information processing can be readily envisioned as well.

SMART

The strength of this approach rests heavily on the impenetrability assumptions of the Black Box. While specific candidate Black Box implementation techniques exist that offer the highest levels of theoretical mathematical assurance, 100 percent absolute impenetrability assertions are largely unverifiable from a practical standpoint. Rather, impenetrability must be ascertained via an assessment of risks based on specific threats to components that exhibit varying degrees of trust. Analogous to the legal standard that defines reasonable suspicion, an accompanying technical standard that defines reasonable impenetrability would need to be established. A community of concerned scien-

International Engagement on Cyber

tists, engineers, and technicians from across the country stand ready for this undertaking. The implications of a technical resolution upon the current tension between Security and Liberty would be profound.

Acknowledgement: This paper is

the result of numerous conversations with remarkably insightful individuals from all across the cybersecurity industry. In particular, significant contributions to this engaging dialog were received from the policy and technology communities at Georgetown University, Lawrence Livermore National Laboratory, Oak Ridge National Laboratory, and the National Security Agency.

[223]