Steve Ranger on ZDNet reports on a recent presentation by Microsoft President Brad Smith. Like other tech-saavy observers, Smith worries about a Cyber Arms race that is out of control, and is in favor of doing something about it. See his blog post: “The Need for a Digital Geneva Convention“.
In the deterrence theory of nuclear war, the “triad” is an essential concept. It refers to three different delivery platforms for thermonuclear weapons.
In a typical scenario, the United States is attacked by incoming thermonuclear weapons. The land based missiles are destroyed. Many strategic bombers are caught on the ground and also destroyed. Those bombers that are heading to their targets are shot out of the air.
Still, the SLBMs will be launched, and that force alone is enough to completely destroy the attacker, no matter how large they are.
As a result, any attacker is assured that if they attack, then they definitely will be destroyed also. This is the basis for nuclear deterrence, and the basis for the world’s peace that we have enjoyed since the beginning of the nuclear age.
Since 9/11, the United States has made a very large investment in national security. It has prepared not only for fighting terrorism overseas, but also for fighting it inside the United States. This has resulted in a blurring of responsibilities between more than 3,984 federal, state and local organizations that are involved in anti-terrorist activities. Doing the math, that is more than 76 anti-terrorist organizations per state.
By taking out a small subset of these organizations, we can see the organizations involved with cyber security and cyber warfare. See Figure 1.
Figure 1 – The Cyber Defense Triad.
The two major government organizations responsible for cyber security are the Department of Defense, and the Department of Homeland Security. These organizations are supported by the intelligence establishment of the Office of the Director of National Intelligence, which sit on top of the eighteen (18) intelligence organizations operating in the United States.
One of the peculiar problems of cyber defense is the blurring of national borders. It is actually almost meaningless to think of a national border. So in a sense, the dividing up of responsibilities between the Department of Defense and Homeland Security is archaic. You will notice that no such division exists in Russia. (See previous post on Russian Cyber Defense Doctrine.)
But looking at this complex web of cyber defense capabilities, one wonders how well it will really work when under extreme pressure of a major cyber incident?
It is an open question regarding whether or not the cyber capabilities that have been deployed by the United States are capable of cyber deterrence. Given the massive number of cyber attacks that have been reported, the answer is “no”.
Cyber Deterrence Theory needs more exploration. See future blog entries.
The United States of America is the World’s cyber superpower.
History shows that the revolution in computing and information technology started not in the United States, but instead in England. But as the onslaught of the Second World War began to dim the starched and crusty sun of the British Empire, the world’s center of computing innovation shifted to the United States, and has never left. Today, the United States has emerged as the world’s cyber superpower. No other country comes close, in fact, the rest of the world added up together does not equal the cyberpower of the United States. Nevertheless, with cyber-greatness, comes cyber-vulnerability, and thus the United States faces many challenges going forward.
Birth of Computing. The foundations of computing were defined by Alan Mathison Turing (1912-1954), an English mathematician in his paper “On Computable Numbers, with an Application to the Entscheidungsproblem” delivered to the London Mathematical Society in 1936. After a long discussion, he writes “If this is so, we can construct a machine to write down the successive state formulae, and hence to compute the required number.” (Don’t try to read the paper unless you know a great deal of math. A better explanation is found in Andrew Hodges book “Alan Turning: The Enigma“.)
Turing was recruited to work at Bletchley Park, the center of the UK’s codebreaking operation during the Second World War. The central challenge was learning how to break the enigma coding machine. Turing and his team built the world’s first electro-mechanical machine to break the code (bomba kryptologiczna [Polish]). Eventually the German Navy deployed an improved enigma machine with more coding rotors. This blunted the English effort.
Nevertheless, the United States Naval Computing Machine Laboratory at a secret location in Dayton, Ohio started work on a more advanced code-breaking machine using vacuum tubes. You can see a picture of the U.S. Navy Cryptanalytic Bombe at the National Security Agency’s (NSA) National Cryptologic Museum here. The Museum has a picture of coding rotors on its facebook page here. This project was located in “Building 26” on the campus of the National Cash Register Machine company. This is where the future founder of IBM worked.
Growth of Computing. The history of computing is long, but most of the book was written in the United States. In particular, the release of the IBM System 360 included the first operating system. Mainframe computers, minicomputers, personal computers, handheld computers, integrated circuits, and so on. Much of this evolution was powered by companies in Silicon Valley, but also around Route 128 in Boston. As a note, much work in development of supercomputers was funded by NSA, especially the work of Seymour Cray.
Telecommunications and Networking. Most of the world’s innovation in telecommunications and networking has occurred in the United States. There is no need here to retell the long history of developments: Telegraph, Telephone, Radio & Television, Satellite, Internet, Mobile Cellular Technology. (See Desmond Chong’s comments here.) The Internet now connects most citizens of the world. (See: Internet Society report here.) From 1992 to 2015, the number of websites grew from 10 to 863,105,652 and from 1993 the number of Internet Users grew from 108,935 to 3,185,996,155. (See Internet Live Stats.)
This growth of “cyberspace” in effect has created an entirely new virtual geography for conflict between nation states.
Control of Cyber Infrastructure. Apart from manufacturing much of the technology, US companies produce the software, cloud systems, other Internet based services, and social media systems that dominate the world. There is no European Google, for example. Companies such as Google, Facebook, Twitter, Microsoft, IBM, Apple and others dominate the world’s ICT landscape.
In the Post-9/11 world, the United States has built up and incredible infrastructure to defend against terrorism and respond to it promptly once it occurs. These investments envision threats from weapons of mass destruction, lone wolf terrorist attacks, Electromagnetic Pulse (EMP), and cyber attacks. A few days after the September 11th attack, the US Congress handed over to the executive $40 billion dollars to “get started” on building these defensive systems. Then it wrote another check and another. The total amount invested is classified.
Investments were made in two direction; foreign intelligence, and emergency response in the homeland. Although the development of foreign intelligence capabilities using cyber espionage is secret, revelations from illegal criminal leaks published by the traitor Edward Snowden and the brutal Wikileaks, plus high quality yet legal investigative reporting by authors such as Dana Priest and William M. Arkin (Top Secret America: The Rise of the New American Security State) suggest the incredible capabilities of the United States.
To put it in simple terms, apart from its not inconsiderable activities overseas, the United States has trained its military to fight, defend infrastructure, and collect intelligence within the United States itself.
Result: There has been a blurring of lines of responsibility between local, state, and Federal efforts to fight a cyber war.
The result is a nation state with dominant cyberpower:
Since 9/11, the United States in the cyber arena likely has invested more than 25 times as much as any nation that is in a distant second place. There is a cyber arms race, and the United States is winning, and will continue to do so for the foreseeable future (providing it keeps investing, as it probably will).
It is difficult to have an undisputed definition of cyberpower, but as a starting point, we can say that for a nation state, it may be defined by the following factors:
Cyberpower might be estimated as follows:
(9[w2w1]+[w1-9{w2w1}]+3.5p1+p2) * (Rg+.6Rp) + (.9e1+.4e2+.15e3)
Getting this type of data, applying proper quantification and operationalization of the relationships, however, is somewhat problematical, to say the least.
Government and Private Sector Coordination. The United States has a peculiar arrangement whereby the government is responsible for defense of the nation, but is unable to control how private enterprises, and the private sector in general, avails itself of defensive technologies. The private sector is left to defend itself. For example, Under the National Security Agency (NSA), the Cyber Command (“Cybercom”) component is responsible for development of both offensive and defensive cyber weapons. However, it is not clear at all how and under which specific circumstances the power of Cyber Command would be used. See Figure 1.
Figure 1 –– Attack and Defense in Cyberspace. The US Government (NSA’s Cyber Command) is tasked with defending the U.S. Government from cyber attacks. But in case of cyber attacks against important private sector components, including infrastructure, there is no clear role or authority.
As of 2018 Cyber Command should have a 6,200 member force. It is under the command of the U.S. Strategic Command, which also is in charge of the USA’s nuclear weapons. This number, 6,200 might possibly be only a fraction of the true size of Cyber Command, considering that it is common practice in many parts of the U.S. government, including the military, to make extensive use of outsourcing and subcontractors to get its work done. If the government employee/subcontractor ratio for other parts of the government is applied to Cyber Command, then a force of 27,900 might be more realistic.
Since it operates under the auspices of the National Security Agency (NSA), Cyber Command has responsibility for protecting the communications, including data communications and thus data processing and ICT infrastructure, of the United States Government. Presumably this means that should government ICT infrastructure come under attack from another nation state, Cyber Command could respond. The rules of cyber war are not yet worked out because it is difficult to have a “cyber war”, without any real “war”. And if there is not real “war”, then presumably government weapons would not be used to fight the conflict.
This leaves a vulnerability for the United States. If the private sector, including the USA’s vast infrastructure (electricity, transportation, finance, business process computing, communications, distribution), came under attack, it is not clear that the NSA would respond. Perhaps it has standing orders to aid the private sector, but it is difficult to see how this could happen except through the mechanism of providing warning and advice to victims of cyberattacks.
It is possible that cyber militia might be used by either the private sector or by the government, but there is not much known about this possibility, and in any case, there would be legal and regulatory barriers for this to be done by the government.
This leaves open the challenge of coordination.
Focus and Coordination. Within the U.S. government, as well as the states and local jurisdictions, a large number of fusion centers and other points of shared operational responsibility has been developed and deployed. Everything from response to a chemical biological attack to a full scale nuclear war has been prepared for. There is a particularly vigilant infrastructure in place to handle the aftermath of a severe terrorist attack against any community. But these centers specialize in different areas: some on electricity, others on public health, terrorism, or a number of other focus area. They have different degrees of cyber defense and response capabilities, if any at all.
But we can be sure that in any cyber emergency, it will be very difficult to coordinate the activities of these many centers and there is no integrated cyber response plan to do so.
So looking below at Figure 2, we might hypothesize that there is an optimum number of centers of cyber excellence that determines the level of effectiveness against a cyber attack. In the initial stages of build-up, there is a rapid rise in effectiveness. But if too much is built, the response teams will face increasing difficulty in coordinating their response, and the effectiveness will start to fall, even as investments continue to rise.
Figure 2 – Too much cyber defense might weaken the overall national efforts. Response to cyber attacks are coordinated a various national centers. As the number of these centers increases, the effectiveness of response increases, but never becomes perfect. But it never approaches perfect. At some point further increases in cyber response centers weakens national cyber defense because of the cost of coordination.
Cyber Arms Control. Understanding the prospects of cyber arms control must be based on realistic assumptions about nation state motivation. when seeking international agreement, the cardinal rule is that no nation state will support any regime that does not yield it a benefit. So any international convention to control the proliferation of cyber weapons most present some advantage for each nation in acquiescence. A “win-win” scenario, to use popular game theory lingo. So from the point of view of the United States, we must examine if it is possible to identify any specific advantages from such a treaty. Here are a few to consider:
Deterrence is found between nation states when an aggressive action by any nation is discouraged because of doubt or fear of the consequences.
Figure 1 – Cover page of the 1958 RAND report on Deterrence written by Bernard Brodie.
The concept of deterrence was created in the late 1950’s by analysts such as Bernard Brodie who was working at the RAND Corporation “think tank” in Santa Monica, California. He and his colleague Herman Kahn was developing a system of theoretical frameworks that could be used to understand the implication of thermonuclear war using Intercontinental Ballistic Missiles (ICBMs) and other delivery systems.
At that point in time, the United States was reeling from the psychological shock of Sputnik 1 (Простейший Спутник-1), a satellite that the Soviet Union placed into an elliptical Earth orbit in October 1957. The “Space Race” was on, and the Soviet Union had a substantial lead over the United States.
Although Sputnik was designed to orbit the earth and emit a 20 and 40 MHz signal, the shock to the United States was not caused merely by the Soviet Union’s ability to place a small radio transmitter in orbit to broadcast for 21 days.
This was 1957, there were no computers, no electronic calculators. All mathematical calculations were made using slide rules. There was no CAD-CAM; all engineering work was done on paper. Engineers used drafting tables.
The shock was in the accuracy. If the Soviet Union could manage to be precise enough to place a small radio broadcasting satellite into a stable orbit, then it had the skills to be accurate enough to send a thermonuclear weapon to the mainland of the United States. The accuracy was enough to place Sputnik into orbit, and enough to drop an atomic bomb on a U.S. metropolitan area.
Shortly thereafter, the United States and the Soviet Union greatly increased production of nuclear weapons and ICBMs. The number of atomic bombs became so great that it would have been possible for the Soviet Union easily to extinguish all life on planet earth.
That is, in the mid-1960s, the United States had deployed approximately 31,000 nuclear bombs. By the late 1980s, the Soviet Union had deployed 40,000 nuclear bombs. Considering that there are only 260 or so large cities in the United States, the threat of 40,000 nuclear bombs was overwhelming.
In today’s world, people do not think much about nuclear weapons. Countries such as Iran that are engaged in violating its treaty obligations and developing nuclear weapons argue that they have a “right” to do so, but they have no such right.
This is because nuclear weapons are too dangerous to allow them to spread. Here is an example that frequently was given by Professor Geoffrey Kemp in his lectures at the Fletcher School of Law and Diplomacy. For some reason, he always like to use the MIT swimming pool in his story.
“It is an October day. The beautiful New England sky is clear and dark blue. Not a cloud to be seen. A nuclear weapon explodes approximately 20,000 feet above the MIT swimming pool. What would be the consequences? Let us first think of only the heat. Take a compass and a map. Draw a circle around the MIT swimming pool. Go out 235 miles as a radius in every direction. The heat of the explosion alone would cause everything within that circle to spontaneously burst into flames. And that is before any of the blast effects were felt.”
With a radius of 235 miles, this blast area would be 173,494 square miles. The United States is 3.797 million square miles. Incredibly, it would take the Soviet Union only 22 weapons to burn the entire surface of the United States. That would leave it with 39,980 weapons remaining. We could do the same math with the Soviet Union. With its size of 8.65 million square miles, it would cost the United States only 50 bombs to burn the entire surface of the Soviet Union, leaving it with 30,950 weapons remaining.
Now these calculations could be a little off, but you should get the point.
So in the nuclear age the theoretical question being considered in sunny Santa Monica was how to avoid having the United States destroyed. The larger question was how to avoid having the entire earth incinerated.
Eventually the superpowers settled on a type of balance of power. It was not the “classic” balance of power that had been re-established at the Congress of Vienna (Wiener Kongress) in 1815 after the trauma of the Napoleonic wars. The nuclear age was to have a different balance of power. Each nation would know that if it attacked another, then there would remain enough thermonuclear weapons on the other side to assure that the attacker themselves would be destroyed in retaliation.
This is guaranteed by the “triad” of delivery systems: The Air Force, the fleet of Intercontinental Ballistic Missiles (ICBMs), and the Navy’s Submarine Launched Ballistic Missiles (SLBMs). In a worst case scenario, if the entire continent of the United States were incinerated and every human being killed, still the U.S. Navy’s nuclear submarine fleet hiding always in the ocean would be able to launch a devastating counter-strike against the Soviet Union. And the USSR built a submarine fleet to provide it with the same retaliatory capability.
And that is the essence of “deterrence”. Neither side will attack the other with nuclear weapons, because it is reasonable certain that it will get the same back. Like the final statement of the computer in the movie “War Games”, the best move is not to play at all.
So we should be thankful about nuclear weapons. Because they have kept the peace and ensured that there was no outbreak of war between the superpowers.
Is it possible to have deterrence in the cyber arena? First, we need to think about a few of the differences between nuclear and cyber weapons.
Destructive Capability. The destructive capabilities of nuclear weapons are well known. They have kinetic blast effects, heat effects, and radiation poisoning effects. They are designed to destroy infrastructure, or other weapons systems. The calculation of destructive capabilities is well understood. The “Circular Error Probable” (CEP) value which measures the probability that the weapon will explode within a certain range of its target is almost as important as the strength of the blast, since proximity can leverage the inverse square law. In contrast, cyber weapons can have both logical and kinetic effects. By “logic” effects, we refer to destruction or alteration of programmable code or other data, and then the secondary “downstream” effects that are generated. In cyber, a “kinetic” effect is a downstream effect of a cyber event. For example, the Stuxnet virus is said to have caused Siemens programmable logic controllers to trigger a destruction of the Iranian centrifuge machines.
Attack Focus. In nuclear weapons, the kinetic, heat, and radiation effects are centered around the impact point of the explosion. Anything, any system either mechanical or biological within the effect range will sustain damage. The degree of damage falls off exponentially as we move away from the site of the explosion. In contrast, cyber weapons do not necessarily have a point of impact. They can have similar effects across very large geographical areas. As long the system is compatible in logic with the cyber weapon’s capabilities, they be anywhere. So for example, a nuclear weapon can destroy an electricity production complex; but a cyber weapon can cause destruction or disruption across a geographically distributed electricity or banking grid. A nuclear weapon will destroy everything within its range; a cyber weapon can reap massive destruction to a specific system, but leave everything else in the area untouched.
Visibility of Attack Delivery Phase. Apart from a hidden “suitcase bomb”, the delivery of strategic nuclear weapons is visible. Aircraft (strategic bombers) and ICBMs or nuclear cruise missiles can be detected by radar, although stealth aircraft are more difficult to see. Of course the “reaction time” for responding is a considerable problem. For an SLBM attack against the United States, there may be only 10 minutes or so to respond. The visibility, however limited, probably allows the receiving state to determine the origin of the weapon, and this enables it to target its response and retaliation. So there is a delivery phase of a nuclear attack. With cyber weapons, this delivery phase is not visible. There are two aspects to this: First, it is possible to disguise cyber weapons so that even when they are identified, their source is not known; Second, an additional factor is that with nuclear weapons, there is a delivery time governed by the physics of moving a bomb across the planet. With cyber weapons, delivery takes place more or less instantaneously.
Covert Cyber Weapons Caches. During the Cold War, it was said that the Soviet Union had pre-positioned caches of arms or other destructive items in various places across the United States. These were designed to be available to Non-Official Cover (NOC) agents who would be “activated” in case of a war. This tactic is also said to have been used by the Soviet Union against European targets in the interwar period, and also by the United States. With cyber weapons, the pre-positioning of malicious code means in essence that the payload already has been delivered. There is no delivery phase, and it certainly is not visible. So it is reasonable to assume that any cyber-superpower already has positioned significant numbers of cyber weapons inside the infrastructure of its potential enemies. Therefore, the weapons should be able to attack without warning.
Destructive Effects. Nuclear weapons: (1) kinetic; (2) heat; (3) radiation poisoning. Cyber weapons: (1) kinetic; (2) logical.
Level of Uncertainty. The level of uncertainty for strategists is greater for cyber than for nuclear. This not to discount the considerable uncertainty surrounding a scenario of thermonuclear war. Nevertheless, we can say that the Mutually Assured Destruction (MAD) principle means we can be sure that if a major confrontation breaks out, then both sides will sustain unacceptable levels of damage, regardless of who was the aggressor. In contrast, there is no such certainty with cyber weapons.
To quote Brodie:
“It is a truistic statement that by deterrence we mean obliging the opponent to consider, in an environment of great uncertainty, the probable cost to him of attacking us against the expected gain thereof.” (p.11)
If the Russian Federation makes a decision to launch a cyber attack against the United States, then given the great amount of uncertainty, how can it estimate what the U.S. response will be, and how much “cost” or damage it will be required to suffer, and after that, what will be its expected gain? The same is true for the United States. It if decides to launch a cyber attack against China, then how does it estimate what the Chinese are capable of doing in retaliation, and after that, how can it assess the potential gain?
Cyber War is Mutually Un-Assured Destruction (MUD). We only can conclude that the level of uncertainty is so great in cyber that there is no assurance of destruction of the attacking party, and no way to estimate how much “cost” would need to be paid by the attacker as it weathers the retaliation of its victim; thus there is no way to understand whether or not there would be any potential gain.
So the implication of this is that cyber weapons appear to be more dangerous that nuclear weapons because of the level of uncertainty inherent in their deployment and potential use. This means by extension that at least for the time being, the concept of “balance of cyber power” is not a feasible concept.
In future posts, we will examine a number of cyber-war scenarios.
United States of America v. Dmitry Dokuchaev, a/k/a “Patrick Nagel,” Igor Sushchin, Alexsey Belan, a/k/a “Magg,” and Karim Baratov, a/k/a “Kay,” a/k/a “Karim Taloverov,” a/k/a “Karim Akehmet Tokbergenov” Defendants.
If we include economic espionage and unauthorized hacking as a type of cyber warfare, then this indictment released yesterday opens up a window into the techniques being used by organized crime, individuals, and nation states, to get into computing systems and steal or manipulate information.
Here are a few of the techniques exposed in the indictment:
Judging from the indictment, the hackers focused primarily on Russian nationals, or people who in some way were associated with a Russian interest. Here are a few examples of targets:
In addition, one of the hackers ran an e-commerce scam on the side and seemed to have earned a bit of money from it. The indictment demands seizure a grey Aston Martin DBS and a black Mercedes Benz C54, among other assets such as a number of PayPal accounts.
There are a number of violations cited in the indictment. They can be divided up into classes:
General hacking violations. Conspiracy to commit computer fraud and abuse 18 USC §1030(b); Unauthorized access to protected computers 18 USC §1030(a)(2)(C); Damaging protected computers §1030(a)(5)(A); and Trafficking in counterfeit access devices §1029(a)(1).
Espionage. Conspiracy to commit economic espionage §1831(a)(5); Economic espionage §1831(a)(1); Conspiracy to steal trade secrets §1832(a)(5); Theft of trade secrets §1832(a)(1). These charges involve the access to Yahoo’s proprietary software that controls the User Data Base (UDB) and Account Management Tool (AMT).
It is interesting that the espionage charges relate only to Yahoo, whereas there also were other companies compromised.
Fraud and Identify Theft. The other charges related to Computer Fraud and Abuse §1020(b); Wire fraud §1349 (moving the money to and from PayPal and getting people to pay for products after being tricked into going to a different website); and Aggravated identity theft §1028(a).
The defendants involved are associated with the Russian Federal Security Service (FSB) [Федеральная служба безопасности Российской Федерации (ФСБ)] which is an intelligence and law enforcement agency of the Russian Federation and a successor service to the Soviet Union’s Committee of State Security (KGB) [Комите́т госуда́рственной безопа́сности (КГБ)]. Their office is in the old KGB headquarters building in Lubyanka Square in Moscow. The FSB is a military service of the Russian Federation.
It should be noted that the FSB is different from Russia’s Foreign Intelligence Service of the Russian Federation (SVR) [Слу́жба вне́шней разве́дки (СВР РФ)].
As a comparison, in the United States the CIA is responsible for foreign intelligence, and the FBI for criminal intelligence within the United States.
So the bulk of the espionage efforts by the defendants appears to be a Russian investigation of Russians. But the investigation was taking place inside US “cyber” territory. Other parts involve non-Russian citizens.
Does this set a precedent? Here are a few questions raised by this incident:
This blogger knows of no other time in history when espionage and intelligence activities by nation states has been subjected to this type of legal procedure. Does this set a dangerous precedent? Only time will tell.
Ultimately if there were a criminal investigation underway by the FSB, and the criminal investigation was of Russian nationals, then there should be a way for the FSB to file a surveillance request to US authorities, and then get assistance in the criminal investigation. This could happen if there were some type of reciprocal agreement for each country to aide the other in law enforcement actions. At this time, there is no such mechanism of international cooperation between governments that would allow this type of coordination.
This is one of the problems that could be solved by negotiation of an international convention for the control of cyber weapons.
ON MARCH 7th, 2017, Wikileaks released a giant file of 8,761 documents from the U.S. Central Intelligence Agency (CIA). Wikileaks called the leak the “first full part of the series “Year Zero”. The documents were stolen from a network that supposedly was “isolated” within the CIA itself.
Figure 1: The structure of the CIA’s cyber weapons development group, according to Wikileaks.
What is surprising about the leak to Wikileaks is that it contains not only documentation regarding CIA development activities, but also the actual code (“several million lines of code”) used in these various exploits.
It appears that these cyber weapons allow almost any electronic device to be hacked for purposes of intelligence collection.
Since there already is a great deal of publicity regarding these weapons, there is no need to discuss them here.
If the leak is genuine, then this is another giant blow to the intelligence community. It will make it easier now for criminals, terrorists, human traffickers, heroin cartels or others, including other nation states to deploy cyber weapons against the United States. It also will allow these enemies to avoid detection.
It further will erode faith in U.S. technology exports and harm U.S. technology companies.
The persons who leaked the information are traitors, and what they have done will result in people being killed or otherwise harmed. If they are found, then they should be prosecuted.
Wikileaks reports that approximately 22,000 IP addresses located within the United States were targets of these cyber weapons.
As if they are some type of hero, the leaker wishes “to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”
This blogger agrees that we should have a debate, but inflicting severe damage against the intelligence community is hardly the way to do it. An alternative debate might be whether or not the leaker should be shot.
In any case, this leak emphasizes the following dangers of cyber proliferation:
This unfortunate compromise in U.S. national security again emphasizes the need for the nations of the world to begin the process of creating an international convention for cyber arms control. The proliferation of cyber weapons needs to be stopped before there is a tremendous disaster.
爱德华.M.罗氏是哥伦比亚商学院下设哥伦比亚远程信息研究所的一位研究员。迈克尔 J.布莱恩不时撰写各类主题的文章。
By Edward M. Roche Ph.D., J.D. and Michael J. Blaine, Ph.D.
在此,我们要感谢苏珊·W·布伦纳和罗伯特杰维斯,感谢他们对本文早期草稿提出的意见。
摘要:如今,网络武器是国家权力的延伸。为夺取战略优势,许多国家,包括美国,俄罗斯和中国在内的诸多国家都在增强网络攻击能力,以打破竞争国家的政治,经济和社会体系。这些活动引发的网络军备竞赛正以势不可挡的速度展开,几近失控。这一全球性的威胁迫在眉睫,要求国际社会积极主动应对。本文旨在提出一份国际公约,用以在电子末日之战爆发前,遏制网络武器的发展,扩散和使用。首先,我们调查了军备控制方面的三项成功举措,并总结之前的经验,草拟了一份公约,这或可开启正式多边协议之路。
如今,网络武器的发展已经成为国家权力的延伸。美国成立了一个网络指挥机构,兼具防御性与进攻性。在中国、俄罗斯及世界各地的许多其他国家,也都有类似的网络发展。一场网络军备竞赛已在上演。
美国正在遭受攻击。2013年春天,美国麦迪安公司在网络上演示了一个由中国人民解放军(PLA)控制的黑客组织是如何对美国公司进行网络间谍活动的。政府雇用了非传统计算机黑客学习网络战的间谍情报技术。2007年,人们对纪念俄罗斯二战逝者的雕像产生争论,而就在这之后,拉脱维亚遭到大范围网络攻击,政府濒临崩溃。两年后,格鲁吉亚共和国也发生类似事件;2013年南韩亦遭北韩网络武器攻击。
这些攻击最初瞄准平民,但并不止步于此。伊朗的离心机浓缩铀受到“震网病毒”攻击,普遍认为美国和以色列是病毒的来源国。对于这种挑衅,伊朗被激怒,随即回击,对沙特阿拉伯的石油设施发动了网络攻击。且不论这些攻击的来源,这些网络力量的表现,证明了政府及其所代表的人民正受到网络武器的威胁。
网络武器危害巨大,因此符合大规模杀伤性武器的全部特征。以往通过战略轰炸才能达到的效果,现在只需更加清洁的网络武器便可完成。重要信息丢失,关键网络设施崩坏,武器系统瘫痪,由于股票、债权、支付和外汇交易系统的不健全导致的金融灾难——所有这些威胁都造成了各国争相增强防御能力的混乱局面,也为其使用攻击性武器反击提供了理由。
网络军备竞赛正在极速发展,彻底失去控制。网络武器发展不平衡的本质促使各国寻找先发制人的有利条件与攻击优势。根据托马斯.谢林发展出的“彼此恐惧突袭”的概念,这可能导致先发制人的螺旋式增长。
因此,制止网络军备竞赛的唯一途径就是各国进行多边谈判,限制这些隐形的危险武器进一步发展。
国际社会处理全局性威胁的方式并非单一模式。有时,在为控制某个问题而进行的一系列努力均告失败后,才会订立国际公约;在其他情况下,国际社会似乎能够预见威胁,那么就可以制订未雨绸缪的国际协定;还有些协议则更像是两种情况的结合:一份国际协议在威胁已明显存在、但还未扩散之际产生。下面每个例子对应上述一种情况。
预判模型:过去,国际社会曾成功地遏制了大规模杀伤性武器的扩散。1967年,《关于各国探索和利用外层空间包括月球与其他天体活动所应遵守原则的条约》规定,各国“不准在对地轨道上放置核武器或任何其他种类大规模杀伤性武器,亦不准天体上安装或以任何其他方式在外空部署此类武器”(第四条),各国应为各自空间物造成的损害承担国际责任(第七条)。这份法律被称为空间法典。
这份公约的产生,正是因为人们已清楚认识到,如果不一致同意进行限制,外太空将被军事化。当时,美国正在考虑研发和部署能够携带核武器并永久停留在外太空的原子动力飞机,距离其涉足太空只有一步之遥。在此情况下,人类是幸运的,因为此协议在任何国家尚未于外层空间部署武器之前诞生。
末端模型:指的是在试图加以控制的长期努力失败后最终达成的协议。控制化学和生物武器扩散的国际公约是一项仍在进行中的工作。1675年法国和罗马帝国签署了《斯特拉斯堡协议》,限制有毒弹药的使用。1874年布鲁塞尔会议建议禁止有毒武器的使用。1899年《关于禁止使用专用于散布窒息性或有毒气体的投射物的海牙宣言》将扩散“窒息性或有害气体”明确定义为违法行为。
第一次世界大战期间有超过一百万人受到甚至死于化学武器的伤害。1925年,《禁止在战争中使用窒息性、毒性或其他气体和细菌作战方法的议定书》禁止了生化武器的首次使用,但是没能成功限制这些武器的生产、储存和和转让。1975年,《生物武器公约》正式生效。但该公约仅仅要求各国“善意”协商限制这些武器的开发、生产和储存。由于当时两个超级大国(美国和苏联)已开发大量的生化武器为战时做储备,该公约亦呼吁销毁这类杀伤性武器。
1984年,美国-前苏联工作组起草了一份公约。1988年,一组伊拉克北部平民遭化学攻击的照片令谈判迫在眉睫。而在此之前,诸如公约对国际贸易的影响及其可验证性的问题一度影响了谈判进程。在《斯特拉斯堡协议》签署317年后,1992年《关于禁止发展、生产、存储和使用化学武器及销毁此种武器的公约》终于签署在即。该公约旨在禁止化学武器的制造并呼吁销毁库存武器。监督公约执行的工作交由禁用化学武器组织(OPCW)负责。该独立运作的组织总部位于荷兰海牙,目前负责在叙利亚进行调查。
与禁止在外部空间使用大规模杀伤性武器不同,控制生化武器要难得多。因为这些武器在国际公约成立前已经被生产和使用。要进行验证是很困难的,需要建立独立的第三方系统。
混合模型: 国际社会面临的另一挑战是处理大规模杀伤性核武器。与化学生物武器不同,核能是一把双刃剑。一方面,它为全球千百万人提供了电力;另一方面,核能也是不可想象的杀伤性武器之源,这些武器造成的后果曾在《美国战略轰炸调查》中有所描述。
德怀特·D·艾森豪威尔总统提出的“原子能为和平服务”的倡议似乎为和平使用核能开启了光明的未来。讽刺的是,这个计划向伊朗和巴基斯坦提供了第一批核反应堆。1970年签署的《不扩散核武器条约》(NPT)旨在继续支持核能的和平使用。同时,该条约严格限制除已开发核武器五国(美国,前苏联,法国,英国和中国)的其他国家进行核武器开发活动。大多数国家仍然没有核武器。但是印度,巴基斯坦,朝鲜和以色列已经开展了相关研发。
在核武器问题上,国际社会采用了双层制度:不要求已有核武器的国家放弃其技术,但禁止其他国家的核武器开发活动。该条约是“混合模型”的一个典型案例,即在威胁产生但没有扩散之前达成国际协议。
以上对主要国际公约的回顾,剖析了成功的国际公约的特点。基于对上述以及更多条约的研究,我们明确了了起草可行的国际协议,限制网络武器开发和使用的八个充要条件。当前,国际形势与《不扩散和武器条约》通过之前的形势类似。目前世界上有几个网络超级大国(美国,中国,俄罗斯,以色列),这些国家开发并部署了防御性和进攻性两种网络武器,虽然没有范围仍不广泛,但这些武器已经被使用。各国争相增强自己的网络战能力,此工作正在国土安全部的秘密高墙之后进行着。此外,与核武器发展相似,对网络战争后果的恐惧与不确定成为刺激着这场虚拟军备竞争的强大助推器。然而,网络战潜在的毁灭性影响使人们有望达成共识,控制这些武器的扩散。达成此种协议所需的关键条件简要讨论如下。
协商并最终达成一份控制网络武器的国际公约会问题重重,原因涉及互联网的规模与范围、及其他私人与公共网络系统。与诸如军事武器的其他领域不同,互联网延伸的范围遍及全球对整个社会意义深远,不论个人还是商务都随时随地依赖着这些系统。真正的大规模破坏有可能发生,因为各群体都既是网络攻击的责任方,也是受害者。表一概述了破坏网络空间主要犯罪者和及其动机。参与者包括政府,私人党派,恐怖分子,犯罪团伙和个人。其动机从经济破坏、窃取个人信息到对破坏、销毁政府,组织或个人的网上业务。
表二阐述了现阶段控制此类网络活动的各类法律。大部分网络活动在国家刑法和民法以及目前的国际司法体系的管辖范围内。若个人或者私人组织实施国际网络犯罪,则有国际形式的司法合作对此类活动进行处理。而在这些范围之外,还有一类重要的冲突,即政府与政府间的网络冲突;因此,国际网络军备限制条约的规模和范围应仅限于控制国家政府的行为与权限。
尽管国际公约的范围仅限于政府间的网络攻击,但国际社会仍然面临着迅猛的科技变化所带来的艰巨问题。不可计数的网络与系统错综联系,因此,要理解技术的理论复杂性并非易事。其他国际协议,如《京都议定书》,在数十年内都不会发生变化,因此有大量时间制定协议的详细条款。但是在网络领域, 数周之内,最长至数月之内就会发生变化,这使得草拟有效定义、防范网络攻击变得十分困难。一旦某种武器或活动被宣布为不合法,便会出现一种新的、甚至是更具破坏力的技术取而代之。人类在环境及地球科学方面的研究已延续多年,但在网络战方面,人类进行严肃的学术探讨与科学研究最多只有15年,大多数工作都集中在近五年内。最后,网络武器技术的复杂性也使任务变得艰巨,因为其要求具备在交换系统、移动电话、智能手机、电磁脉冲、阻断服务攻击,以及所有种类的软件和编程方面的知识。
许多网络攻击将跨国及私人企业作为目标,这也放大了网络武器问题的规模与复杂性。比如,谷歌提供电子邮件服务,脸谱网和领英网提供社交网络服务,无数商业信息门户开展电子商务。即使在那些由政府例行控制互联网的国家,这些也都属私营领域之内。因此,如果没有私营企业的参与,国际网络公约将是不可行的。原因有二。第一,这些机构才是真正懂得难题之下的技术的唯一实体;第二,政府需要技术层面的建议,以及在维护企业利益以支撑其经济方面的建议。
要利用私营部门的专业知识,一个普遍方法是借助咨询委员会。在国际上,美国首创咨询小组体系,这一体系已被广泛应用,特别是在科技领域,如电讯业。国际电信联盟(ITU)依托于数百家咨询委员会,这些委员会分为专门的组别,解决特定问题。例如,国际电信联盟建立并管理着一个覆盖广泛的高科技委员会体系。电话呼叫可以开始于莫斯科,终止于智利的圣地亚哥,这一技术标准就由该委员会体系首创。如果没有这些技术政策委员会,世界上每个国家或地区都会有自己的一套标准,那么,两个不同地区间将无法协作互通。
即使前面提到的问题全都得以解决,一个最为本质的问题仍然存在,那就是,一个民族国家为何要加入此条约。显然,此条约将会限制国家发展攻击性网络武器的权利,而这从本质上讲是将国家主权拱手相让。 因此,最通俗的解释是,一个国家必须断定,加入此公约的好处要大于损失,或者说是大于失掉某些国家主权的代价。
对于网络能力较弱的国家而言,由于他们发展网络武器的前景堪忧,亦鲜有参与网络军备竞赛的机会,因此,他们加入条约的动机是非常明确的。网络超级大国将有望主动限制其网络武器部署,这样一来,网络武器的差距便不会像没有条约时那么大。
对于那些拥有某些网络能力,但并未成为网络超级大国的中等水平国家而言,他们有双倍动机加入条约。首先,假设他们不需销毁现有武器,则相比众多欠发达国家而言,他们会保有优势;其次,他们又可以牵制超级大国毫无限制地部署网络武器。
对于网络超级大国来说,动机会更为复杂。一些政治科学研究已经将游戏理论,特别是“囚徒困境”,应用于国际合作问题中,并发现了达到平衡的可行方式,这种平衡即放弃一些国家特权,从而获得更好的结果。简单说来,参与者受公约的规定所束缚,并非希望使他国获利,而是希望如此一来,可以避免加入不受控制的武器装备竞赛。因此,同意不最大化使用力量,超级大国便可确保其他国家也受此约束。这一观念的实质是:国际规则很少强制执行,但大家通常都会遵守。
最后一个问题必将使协商达成国际协议的过程复杂化,那就是人权与政府管制之间需要达到平衡。这一问题也关系到世界网络基础设施的总体活力与经济效率。政府为确保网络基础设施受到保护,就必须监控网络,以防止任何攻击或骚扰。然而,这种监控极有可能意味着个人、机构和商务的网络交际会遭到窃听。关于国家在控制信息获取及其传播方面所扮演的角色,国家间的政治理念有很大差异。一些国家会经常性地审查网络空间,另外一些国家不会审查,但可能会监控。一种普遍的担忧是,一份国际协议本意在于创造更加安全的网络空间,但最终却可能成为“星法院”,使得政府审查制度笼罩于人权之上,令其暗淡无光。
另一类似的问题涉及到网络的经济效率及其对馈线网的支持。一种合理的担忧是,政府管理会提高商务与个人的成本,可能会阻碍创新。 这个问题对于跨国企业和一般意义上的整个商业领域来讲意义尤为重大,因为他们如今在网络空间进行着大量的经济交易。因此,若要达成某种限制网络武器的合作协议,即使只是初步商议,国家也需要与相关利益方充分探讨这些担忧,并就如何防止消极的社会和经济结果产生达成某种共识。显然,任何国际公约都需要适应不同国家在控制网络及其基础设施方面的不同观点。
鉴于此类情况,可草拟出各国的义务,并将其作为网络武器限制条约的核心内容。我们可以设想一种可能的情况来加以说明。假设公约的某一签署国遭受了网络攻击重创,攻击来源未知,但造成了巨大损害。那么,在这种情况下,公约的各签署国需履行何种义务呢?
一般来讲,此种假设情景由三个阶段构成: (1) 攻击发生; (2)受害国无法识别攻击来源; (3)采取行动识别攻击来源,将犯罪分子绳之以法,或以某种方式恢复秩序。
基于上述几点,我们起草了初步的语言,这或可构成一份切实可行的网络公约的基础范本。
导言
鉴于互联网与其他计算机间通讯网络的流畅运行已被认为是世界经济与重要基础设施的必不可少的运作基础;
鉴于互联网与其他计算机通讯网络会遭到攻击,完整性和有效操作被破坏,因此造成经济损失,也威胁到国际和平与安全;
鉴于诸多此类网络攻击侵犯了过境国的中立性;
鉴于使用网络武器可造成与使用传统军事动能武器一样巨大的损害,这一点已被公认;鉴于世界所有人民,包括科学界与教育机构都拥有通讯自由;
鉴于世界范围内的大额商业交易都是在没有人为干预的网络基础上完成的,这一点已被公认;
本公约签署国决心确保网络空间用于和平目的,就以下事项达成一致:
网络武器定义
在本公约中,网络武器指的是一切由民族国家开发的软件编码或程序,用以非法中断、禁用或进入世界计算机通信系统的任何部分,包括所有数据网络。
有双重用途的技术若用于攻击目的,则被认为是网络武器。
本公约无意限制任何签署国正当防卫的权利,包括保有国家安全信息机密的权利。
网络武器禁令
所有成员国禁止制造或开发攻击性网络武器。
所有成员国禁止将攻击性网络武器转让他国。
本公约并不禁止任何成员国行使其权利,采取防御措施阻止或减轻网络攻击。
国际网络管理局
应创立国际网络管理局(ICA),通过国际电信联盟进行运作。
该国际网络管理局应由永久常务委员会进行管理。
永久常务委员会应设7个常任成员国与4个轮值成员国。
常任成员国应包括: (1) 美利坚合众国;(2) 俄罗斯联邦;(3) 中华人民共和国; (4)日本; (5) 印度; (6) 印度尼西亚; (7)欧盟。
永久常务委员会还应设4个轮值成员国,由联合国大会指定,任期三年,交错进行。
该国际网络管理局应听命于安全理事会。
该国际网络管理局应直接向安全理事会报告。
该国际网络管理局应被赋予调查任何网络事件的权力。
该国际网络管理局应有权组织调查任何网络攻击行为。
该国际网络管理局应对全球网络空间安全作好记录,并发布年度报告,总结世界网络基础设施状况及网络事件数据。
为更好行使其职责,该国际网络管理局应有权与商业组织和非政府组织(NGOs)达成合作,协同安排。
该国际网络管理局的职员配备应依照国际公务员制度规定。
识别攻击
当有需要时,所有成员国都应与国际网络管理局合作调查任何网络攻击的来源。
如果网络攻击跨越一个或多个签署国领土,则每一过境国都应配合国际网络管理局的工作。
所有签署国应负责提供国际网络管理局需要的信息,前提是此举不与自卫权相冲突。
威胁国际和平与安全
一国对另一国的网络攻击,若被认为威胁到国际和平与安全,可请安全理事会进行处理。
适用《和平解决国际争端》(《联合国宪章》第六章)的程序。
根据《联合国宪章》的第八章,网络攻击可能被认为是威胁和平,破坏和平,或者侵略行为,安全理事会也可能因此受到影响。
普遍权利
本公约不会削弱任何签署国在《世界人权宣言》第十九和二十条中的义务。
本公约不会削弱任何签署国依照《公民权利和政治权利国际公约》采取行动的权利。
商业权利
本公约不会削弱私营、国营与半国营企业参与国际贸易的商业权利。
行动号召
网络军备竞赛的警钟已经三个不同的学术领域内敲响:(1)在国际法学界;(2)在国际关系与政治学(包括军事战略)领域;(3)在科技界。每一领域的学者都从自己的角度调查过去五至七年内的重大网络事件,而值得注意的是,他们都得出了一致的结论。
在国际法学界,学者们似乎同意“法律制度顺应网络攻击的独特属性”是十分必要的,但这很难明确定义。尽管美国政府颁布了《网络空间国际战略》,法律规定仍是模糊不清的,也使军事思想变得复杂。政府内的律师已就网络战争提出了诸多引人深思的法律问题,令我们的军队难以作战,甚至难以在网络空间策划战争。一些人认为,武装冲突法虽然设定了最低标准,但是“有关武装冲突的法律主要用以解决由动能武器发动的冲突”,而非网络冲突。
要国家为网络攻击负责是十分困难的,因为网络攻击很难追踪,政府可能雇佣“黑客”为其工作,而且网络攻击的本质也可能会掩盖其真正源头。一些人得出结论认为,对国际网络安全构成最大威胁的不是犯罪分子,而是国际体系中的国家。早在法律改革的倡议提出时,黑客活动分子就已处于特殊监视之下。不过,即使可以起诉网络犯罪分子,法律问题仍然复杂,包括(1)司法权; (2) 证据规则; (3) 正当程序 (4)国际认可与判决的执行。 所以从国际法角度讲,制定国际公约牵涉到诸多问题,还要使其与国内法规完全兼容。
在国际关系与政治学领域,讨论集中在网络武器是国家权力的何种要素。科技界强调世界巨大的“网络空间”的复杂性,同时强调这种现象相互关联的本质,那就是,它轻易而持久地跨越了国界。
毫无疑问,一些人会认为前述分析不具备充足的说服力,甚至会显得微不足道,对于如此重要的议题而言,我们的语言与方式都太过简单化。而要成功谈判达成国际公约,又障碍重重,任务艰巨。虽然看似疯狂,但我们仍有办法,因为网络战争问题的重要性与网络攻击潜在的巨大代价都使其成为众所关注的问题。虽然有关国际法律与制度的杂志是一个合适的论坛,但我们希望我们这一努力能够获得更广泛的受众群,他们拥有各种不同的知识和背景事实上,我们正需要这样一个群体来解决在达成网络军备限定公约过程中的种种复杂之处。
对此条约的法律与政治学含义有特殊兴趣者,可参考脚注,诸多此类问题已在脚注中作答。 这样一来,本文主体部分仅作为一般的行动号召,对广大读者而言通俗易懂。问题迫在眉睫,需要即时行动。我们希望“网络广岛”不要再继续向前发展。
Footnote19: 本条款允许开发与维护网络工具,比如诊断软件,虽然可用于有害目的,但设计意图在于帮助计算机网络运行。
Footnote21:术语“协调”指安排部署,即相关国家派出调查组或配合国际调查组应对网络事件。
Below are a few conclusions we can draw regarding how the Chinese government views cyberspace (网络空间 wǎngluò kōngjiān).
Economic and cultural advantages of Cyberspace. There is acknowledgement of progress in communications, education, coordination and manufacturing, healthcare, finance and a number of other areas. Cyberspace is viewed as being a driver for economic development. In general, there is a very positive view of the potential for cyberspace to benefit both China and humanity as a whole.
Cyberspace is a new type of national “territory”. Although abstract in nature, the Chinese view is that cyberspace deserves the same type of protection as “brick and mortar” territory (land, sea, air, and space). Not only must the territory be protected, but it must be expanded if possible. There is a “competition” between nations to expand their cyber territory.
Threat to political security. The Internet and cyberspace can be used for many activities that might harm society or the political system. There is a risk to the “political security” (政治安全 zhèngzhì ānquán) of China. This view likely comes from the Chinese assessment of the “Arab Spring” or other social movements that have been enabled through the Internet and which destabilized or swept away governments.
Cyberspace can make China vulnerable to cyber espionage. China policymakers fear the use of the Internet for carrying out “cyber espionage” (网络窃密 wǎngluò qièmì) and for eavesdropping (网络监控 wǎngluò jiānkòng) (spying on) Chinese society, its businesses, associations, or government.
The Internet can be used by China’s enemies to destabilize its political system. There is a fear that by inciting social unrest and promoting unhealthy or incompatible ideas, the enemies of China may attempt to use the Internet to overthrow the government. As a result, part of the Chinese strategy for cyberspace is to put in place controls on information imported from outside China. This curbing of the free flow of information is viewed as being a prudent measure of public safety, and although there is a trade-off with individual rights, a priority is placed on maintaining social stability in the world’s largest nation.
Cyberspace should curtail other than socialist core values. China has a concept of harmful information (有害信息 yǒuhài xìnxī) and cultural security (文化安全 wénhuà ānquán) that do not have an exact equivalent elsewhere. The idea is that the Internet and its unfettered communication provide a platform for spreading obscenity (淫秽 yínhuì), ideas about violence (暴力 bàolì) against society, superstition (迷信 míxìn), moral anomie (道德失范 dàodé shīfàn), and decadence (颓废文化 tuí fèi wén huà). Here, the meaning of “superstition” really is “religion” as scientific communism or historical materialism do not recognize a supreme being, and promoting such beliefs is not compatible with communist society. Cyber space should be free of this type of content, much of which is commonplace in other parts of the world. The difference is that it is Chinese government policy to protect the Internet inside China from these bad influences.
Fake News in social media should be repressed. There is a specific notion that network rumors (网络谣言 wǎngluò yáoyán), can harm society. Therefore fake news should be kept off of the Internet. And this should be done by the government as a means of providing security to the Chinese people.
China employs a concept of “Internet Terrorism”. Online terrorism (网络恐怖 wǎngluò kǒngbù) is defined as being both general hacking (stealing information, infringement of intellectual property rights), as well as inciting and fomenting illegal behavior. There are three general classes of cyberspace terrorism: (1) using the Internet as a means of communication for the purpose of promoting terrorism; (2) committing computer crimes against persons or organizations; and (3) committing crimes against the Internet itself (hurting its operation, denial of service attacks, destruction of information or network logic), such as through introduction of viruses or malware (计算机病毒 jìsuànjī bìngdú). There is no significant difference between the Chinese and nation’s views in this area.
China views cyberspace as a new territory to control and harvest. Cyberspace is thought of as a new “territory” where it is vital for nations to grasp control of strategic resources (网络空间战略资源 wǎngluò kōngjiān zhànlüè zīyuán). This means not only grasping the physical aspects of the Internet where possible, but also getting control over how the rules are made. This is generally referred to as Internet Governance (规则制定权 guīzé zhìdìng quán). China’s approach to internet governance is to emphasize the role of government as taking the lead. This is in contrast to the multi-stakeholder processes in vogue in much of the rest of the world. The Chinese system is simply not organized to allow non-government actors to make public policy.
China is building a cyber deterrence capability. Cyberspace is a platform through which a nation can build a deterrence strategy (网络威慑战略 wǎngluò wēishè zhànlüè). Deterrence is the principle that a nation if attacked will retain enough capability to do a significant amount of damage against its enemies. This makes it impossible for one country to attack another without itself suffering overwhelming damage. It is speculation to suggest how this principle would work in cyberspace. Nevertheless, deterrence must be based on the development of offensive cyber capability, which we can assume China is busy developing. In this connection, Chinese strategy is focused on preventing cyberspace conflict (网络空间冲突 wǎngluò kōngjiān chōngtū).
China recognizes there is a cyber arms race that should be controlled. The Chinese view the cyber arms race (网络空间军备竞赛 wǎngluò kōngjiān jūnbèi jìngsài) as being a danger to international peace and security. It is not known if the Chinese Government is interested in pursuing an international treaty for the control of cyber weapons. However, it does acknowledge that there is an arms race in cyber. We can conclude that China is working as quickly as possible to develop and deploy an entire arsenal of cyber weapons. China recognizes the need to control the cyber arms race (网络空间军备竞赛 wǎngluò kōngjiān jūnbèi jìngsài).
China continues to deploy a national network control system. It appears that Internet security in its broadest sense is to be guaranteed by the Government of China through a national system (国家网络安全保障体系 guójiā wǎngluò ānquán bǎozhàng tǐxì). Cyber security (网络安全 wǎngluò ānquán) practices are intended to keep the network stable, reliable and secure.
China recognizes there is a cyber arms race that should be controlled. The Chinese view the cyber arms race (网络空间军备竞赛 wǎngluò kōngjiān jūnbèi jìngsài) as being a danger to international peace and security. It is not known if the Chinese Government is interested in pursuing an international treaty for the control of cyber weapons. However, it does acknowledge that there is an arms race in cyber. We can conclude that China is working as quickly as possible to develop and deploy an entire arsenal of cyber weapons. China recognizes the need to control the cyber arms race.
China intends to use international negotiations to govern cyberspace. The Chinese government is pursuing a multilateral governance system for the Internet(多边国际互联网治理体系 duōbiān guójì hùlián wǎngzhì lǐtǐ xì). Internet governance (网络空间治理 wǎngluò kōngjiān zhìlǐ) is viewed as handling terrorism, cybercrime, and even helping to bridge the digital divide(数字鸿沟 shùzì hónggōu) between developed and developing countries. It is not clear how much non-governmental input China views as being essential to development of a global multilateral Internet governance arrangement.
A nation’s cyberspace is sovereign territory. A nation has complete authority within its territory, and within its cyberspace territory, to control everything that happens there. Cyberspace sovereignty(网络空间主权 wǎngluò kōngjiān zhǔquán) is an essential principle.
No nation should dominate cyberspace. China acknowledges the concept of “cyber hegemony”(网络霸权 wǎngluò bàquán), which may be a reference to the United States, which is the source of most of the world’s innovation and commercial products in cyberspace. No cyber-powerful nation should be able to destabilize the “cyberspace order”(网络空间秩序 wǎngluò kōngjiān zhìxù) by forcing into another country information that is harmful (有害信息 yǒuhài xìnxī) to its national security or national “interests”.
Use of Cyberspace should not threaten international peace and security. The Chinese view is that certain actions by nations can be a threat to international peace and security as defined in the United Nations Charter. This should be avoided. By specifically using the phrase “threat to international peace and security” (国际安全与稳定相悖 guó jì ān quán yǔ wěn dìng xiāng bèi), China is drawing upon the United Nations Charter. This presumably means that a cyber attack could be brought before the United Nations Security Council.
Law should govern cyberspace. There is a recognition that cyberspace should be governed by law (依法治理网络空间 yīfǎ zhìlǐ wǎngluò kōngjiān). This appears natural, but actually it is only one of several models for internet governance. An alternative view is to rely on self-organizing systems. For example, Wikipedia, the Linux operating system, or many internet technical standards are not planned, but instead are spontaneously created through more or less unorganized masses of contributors. This is explained clearly in the classic book The Cathedral and the Bazaar. The Chinese view of relying solely on law to govern cyberspace is in line with its view of government as being the premier and sole source of governance authority.
Eric S. Raymond, The cathedral and the bazaar : musings on Linux and Open Source by an accidental revolutionary, Beijing; Cambridge, Mass.: O’Reilly, 2001.
In his analysis of why détente between the United States and the Soviet Union broke down in the period of 1975 to 1980, Olav Njølstad, of the Norwegian Nobel Institute, identified five factors. We can test these factors to today’s environment to suggest the prospects for conclusion of an international treaty for the control of cyber arms proliferation.
Détente was a policy adopted by the Soviet Union and United States to lessen geopolitical tensions, establish mutually beneficial relationships, and importantly, engage in strategic (nuclear) arms control. It resulted in the conclusion of the SALT I treaty, but not the SALT II treaty. (SALT = “Strategic Arms Limitations Talks“)
Here are Njølstad’s Five Factors and what they might suggest for cyber arms control.
Njølstad argues that the leaders of the USA and USSR never really trusted each other. Although between Nixon and Brezhnev there gradually had been a build-up of personal trust, the large interest groups led by elites on both sides never understood each other. Nixon, for example, had Brezhnev out to his home in California for extensive discussions, and the photographs of the moment show a relaxed cordiality and workmanlike attitude present between these two leaders. But when Nixon left office, one leg of the table collapsed, and things fell apart finally under the administration of Jimmy Carter.
Application to Cyber Arms Control. It is difficult to judge the amount of “trust” between the superpowers today. But it is safe to assume that it is not different from twenty years ago, and may be even worse. Under that line of thinking, the lack lack of trust argues against agreement on a cyber treaty. A counter-argument may be that unlike the situation in the Cold War, in cyberspace, there is not such a compelling groups of elites on either side. That is, whereas in the kinetic warfare realm, there automatically is a sharp division between competing parties, in the cyber realm the interest group may be the entire Internet community, worldwide. An additional consideration is that there is no strong “cyber war” faction we have noticed at least in the United States. Or is there? A counter-counter argument is that the cyber realm is so new, sensitivities are such that it is much more difficult to build trust, in no small part because so little is understood of this new realm of interaction between nation states.
Conclusion: The lack of trust will inhibit agreement on a cyber arms limitation treaty.
Njølstad also argues that the United States and Soviet Union had very different values, and this was another element in why détente fell apart. In its simplest form, this difference was Communist orthodoxy versus the human rights, democracy and justice values of the United States. In the Communist view, “peaceful coexistence” was possible between the superpowers, but there always would remain a competition in the realm of ideology. Many observers have argued that the Third Basket of the Helsinki Accords, concerning human rights, was responsible for generating a wave of anti-regime behavior throughout the Soviet Union, ultimately leading to its collapse.
Application to Cyber Arms Control. As pointed out elsewhere in this blog, China, Russia and the United States have very different views regarding Internet governance, and regarding the role of information in society. In particular, in Russia and China, there is an acceptance of the role of the government in controlling information and communications. Generally, these actions of censorship, or information regulation, are carried out with a view to maintaining stability. So that is a very different point of view from much of the West. The counter-argument is that whereas there are different views on the role of government in controlling information, there actually is an almost perfect agreement regarding the need to control cyber crime. In this connection, there is obviously a great potential for international agreement. The counter-counter argument is that although there is a shared interest in controlling cyber crime, this does not necessarily translate into interest in getting cyber arms control.
Conclusion: There are strong points of agreement between the superpowers on the need to control cyber crime. This would indicate potential for some type of international agreement to help accomplish this goal. In this connection, different philosophies regarding the role of government in controlling information is not relevant. So there are places where it should be possible to reach international agreement, but it remains to be seen what advantage countries would have in limiting their own ability to develop and deploy cyber weapons.
Between the United States and Soviet Union, there was no substantial economic interdependence. There was little produced in the Soviet Union that was needed in the United States. The Soviet Union produced little of value except oil and raw materials. More than 40% of its GDP was being spent in the military industrial complex, and almost all of the money from oil exports was being used to pay for importation of meat and grains from the West. In addition, the Soviet Union was burdened by its overseas commitments, all of which were costing substantial amounts of money. Njølstad’s notion is that had there been greater economic integration, then this would be a booster of détente, or at least something to prevent its deterioration.
Application to Cyber Arms Control. Between China and the United States, there is significant economic integration; between the US and Russia, the situation has not changed much since the 1980s. Between China and Russia, there is some trading for energy, but little else. Compared to China, Russia’s economy is very small. In the area of cyberspace, the United States is dominant, and it does not need either of the other two markets to have a viable Internet ecosystem. Nevertheless, there is acknowledgement on all sides that cyberspace, the Internet, plays a crucial role in economic development. Therefore, it is a priority on all sides for the Internet to continue to function so that infrastructure and economic functions can continue to operate smoothly. Even though each nation views development of defensive weapons in its own jurisdiction a sovereign right, in the realm of cyberspace, there may be an incentive on all sides to reach agreement on international procedures and other mechanisms to keep cyberspace open for business.
Conclusion: Favorable for cyber arms control.
Njølstad argued there is a “zero-sum logic of Cold War geopolitics”. That is, if one side gained, the other lost. In the Cold War, there was a mistaken tendency for the two superpowers to consider detente to be a bilateral matter but without reference to competition taking place in the developing world. So under this thinking, it would be possible to continue to probe for geopolitical advantages elsewhere while maintaining détente between the superpowers themselves. It didn’t work. The Soviet invasion of Afghanistan, and the problems in the Middle East, Angola and the Horn of Africa (Ethiopia, Somalia) led to continued problems. The fall of the Shah of Iran and the Soviet Invasion of Afghanistan led to the “Carter Doctrine” which threatened war if the Soviet Union moved to exert control in the Persian Gulf. It also lead to a giant military build-up, which President Reagan inherited.
Application to Cyber Arms Control. For this analogy to work, we would need to see evidence of continued probing for advantage in cyberspace while at the same time attempting to maintain a regime of cyber arms control. We can expect that nations would continue to engage in cyber espionage, and therefore it would not be possible to have any international agreement limiting this important government function, on any side. On the other hand, cyberspace is such that there may not necessarily be a zero sum game. Does innovation in one area (country, application portfolio) automatically lead to losses on the other side? One could argue “yes”, and give the example of how China has discriminated against foreign social media and other Internet services groups so as to create its own native Chinese companies. But it is difficult to show harm to the other side, which continues to grow and prosper. It can also be argued that the interest in keeping the Internet running will be strong enough to encourage work at international agreements that limit cyber weapons and their proliferation. For example, cyber weapons should not be allowed to fall into the hands of non-state actors (information terrorists). This would be also the case if other nations were coaxed into joining the control regime, because the superpowers would see the treaty as a way to limit weapons developed elsewhere. This would limit threats to Internet (cyberspace) stability and thus be of benefit to everyone. And at the same time it would not prevent competition from continuing.
Conclusion: Favorable for cyber arms control.
Njølstad argues that on each side there were “intellectual, institutional, and economic pressures” coming from “groups, companies, and bureaucracies with a vested interest in the arms race”. As a result, it became much easier after détente began to weaken to raise voices calling for a harder line. In the same way Carter eventually was overwhelmed by hard liners, Brezhnev faced the same problem in the Soviet Union with pressures from the military and intelligence parts of the government.
Application to Cyber Arms Control. There is no strong institutional or economic pressure to continue building cyber weapons. They are not expensive to build. For example, the cost of cyber arms are nothing compared to the price of rolling out a new strategic bomber, fighter jet, or missile system. So we can conclude that there is no such strong institutional lobby standing by to back up hard liners should this possibility emerge.
Conclusion: Favorable for cyber arms control.
Njølstad’s analysis gives crucial insights into why détente between the Soviet Union and the United States eventually fell apart. When we apply these same factors to the possibilities for cyber arms control, the picture is not as negative. But it is not completely positive either.
One limitation (of many) in this analysis is that détente was seen as a bilateral policy between the United States and the Soviet Union. This is quite different from what would be required for the negotiation of a multilateral treaty for cyber arms control. So in a strict sense, applying a bilateral framework of explanation against a possible multilateral problem set is problematical. The counter-argument to this is that in arms control, leadership can be shown by superpowers, with the prospect that smaller less consequential nations will follow the example of the superpowers. A second counter-argument is that this bilateral framework can be applied to any set of multi-lateral relationships. For example, one could apply it to US-Russia relations, then to US-China relations, then to Russia-China relations. So it probably is possible to apply it to multilateral relations, although that is not its original design intent.
Olav Njølstad, “The collapse of superpower détente, 1975-1980”, in Melyn P. Leffler and Odd Arne Westad, Eds., The Cambridge History of the Cold War, Vol. III Endings, Cambridge U. Press, 2010, pps. 135-155
China’s national strategy for cyberspace is breathtaking in its comprehensiveness. It recognizes the importance of the Internet in all domains of human activity (education, science, business, communications), but also acknowledges what it views as being major problems with the Internet as it operates now.
没有 网络 安全 就 没有 国家 安全 (méiyǒu wǎngluò ānquán jiù méiyǒu guójiā ānquán)
Without cyber security, there is no national security.
网络空间 是 国家 主权 的 新疆域 (wǎngluòkōngjiān shì guójiā zhǔquán dí xīn jiāngyù)
Cyberspace is the new territory of national sovereignty. (Lit. Cyberspace is national sovereignty [of] new territory.)
网络 攻击 威胁 经济 安全 (wǎngluò gōngjī wēixié jīngjì ānquán)
Cyber attacks threaten economic security.
网络 有害 信息 侵蚀 文化 安全 (wǎngluò yǒuhài xìnxī qīnshí wénhuà ānquán)
Harmful online information corrodes cultural security.
NB: Many of the terms are more or less the same as in English, others are different for two reasons: First, there is an inherent ambiguity in the Chinese language that makes it possible for a work (or character combination) to have a number of meanings in English, some narrow some general; Second, even though some of the terms translate into English, the context of the Chinese text indicates that their meaning actually is slightly different or may have a specific Chinese context.
In addition, a few terms are used in a way that indicate the overall policy thrust of the Chinese government both internally and in international fora, and this is noted.
We have inserted spaces into the Chinese phrases to separate the characters into words, usually two-characters in length. In written Chinese, there is no spacing between words. After the characters, we have inserted the romanization of the characters with the Mandarin 4-tone accent marks, and also clustered together these into words with spaces.
The order is according to the romanization of the Chinese. This is because there are numerous variations in the english equivalents (or semi-equivalents).
A
安全 (ān quán)
Security.
B
暴力 (bàolì)
Violence. This refers to content. (It is peculiar that violent gaming is very popular in China.) We can conclude that this refers to the use of the Internet to provoke or condone violence or political upheaval.
D
颠覆 (diānfù)
Subversion.
DG
多边 国际 互联 网治 理体 系 (duōbiān guójì hùlián wǎngzhì lǐtǐ xì)
Multilateral (international) network governance system.
DS
道德 失范 (dàodé shīfàn)
Moral anomie; moral degeneracy.
FG
分裂 国家 (fēnliè guójiā)
Split the country; separatism. This refers to any communications on the Internet that discuss the break-up of China. Examples would be Tibet, which was occupied by China in the 1950s, and also Occupied East Turkistan, which is occupied by China. It is specifically prohibited to communicate information that would suggest any change in current political arrangements.
GG
国家 关键 信息 基础 设施 (guójiā guānjiàn xìnxī jīchǔshèshī)
National critical information infrastructure. This definition appears to be the same as in the West.
GJ
公众 监督 (gōngzhòng jiāndū)
Public supervision. This refers to government “control” of the Internet and its content, but also control over all aspects of the technology, including standards, governance procedures, domain name registration, and so on.
GW
国家 网络 安全 保障 体系 (guójiā wǎngluò ānquán bǎozhàng tǐxì)
National network safety protection system; national network security system.
GZ
规则 制定 权 (guīzé zhìdìng quán)
Right to make rules; Internet governance.
GX
关键 信息 基础设施 (guānjiàn xìnxī jīchǔshèshī)
Critical information infrastructure.
JB
计算机 病毒 (jìsuànjī bìngdú)
Computer virus; malware.
M
迷信 (míxìn)
Blind faith; superstition. This refers to what the West would call “religion”. In other words, the spreading of “superstition” is considered to be a danger on the Internet. It is in the class of information that must be controlled and weeded out.
S
渗透 (shèntòu)
Penetration. This term is used for hacking, that is, the illicit access to an information system through the Internet.
SH
数字 鸿沟 (shùzì hónggōu)
Digital divide. This is the standard terminology used to express the difference in access to information technology between the developed and developing countries. It is a holdover from the New World Information Order that was started originally in UNESCO as an anti-Western movement seeking government control over mass media.
社会 主义 核心 价值 观 (shèhuìzhǔyì héxīn jiàzhí guān)
Socialist core values viewpoint. This term is used to express what China believes should be a guiding principle in content available through the Internet. The other side is that is that information without this viewpoint is officially not welcome.
TW
颓废 文化 (tuífèi wénhuà)
Decadent culture; dispirited culture. This term refers to content on the Internet that does not have the correct and acceptable point of view or theme.
W
网络 (wǎngluò)
The internet.
WA
文化 安全 (wénhuà ānquán)
Cultural security. This term refers to a vulnerability caused by the Internet, by Cyberspace. There is a fear that without appropriate control, the Internet will harm “cultural security”. This term is alien and more or less unknown in the West.
网络 安全 (wǎngluò ānquán)
Cyber security, network security; network protection.
WAF
网络 安全 防御 (wǎngluò ānquán fángyù)
Network security defense; cybersecurity defense. This term is general in nature and does not specifically refer to actions of the People’s Liberation Army (PLA).
WAS
网络 安全 审查 制度 (wǎngluò ānquán shěnchá zhìdù)
Network security review system. This term refers to a national program or set of policies that will enforce security checks on the Internet, that is, on the entire Internet within China. By necessity, it is a centrally directed effort of the government.
WKC
网络 空间 冲突 (wǎngluò kōngjiān chōngtū)
Cyberspace conflict. There is no specific example of this. For example, it is not clear if it applies to only the technology and network level or also includes information operations. Within the context of the overall policy, it would include information operations. Therefore, we can conclude that providing unacceptable information into China is a form a aggressing leading to cyberspace conflict.
网络 空间 (wǎngluò kōngjiān)
Cyberspace.
WKG
网络 空间 国际 规则 (wǎngluò kōngjiān guójì guīzé)
International rules for cyberspace. In the Chinese point of view, this term refers to a negotiated set of treaties and international agreements that will govern the Internet. These rules and norms will be negotiated by countries. This model of Internet Governance is not compatible with the Western point of view which emphasizes a multi-stakeholder approach.
网络 空间 国际 反恐 公约 (wǎngluò kōngjiān guójì fǎnkǒng gōngyuē)
International convention against terrorism in cyberspace; (Lit. Internet (cyber) international against terrorism convention). There is no such convention, but it is interesting that China is interested in the negotiation of such a treaty.
WKJ
网络 空间 军备 竞赛 (wǎngluò kōngjiān jūnbèi jìngsài)
Cyberspace Arms Race; Internet space arms competition. Although China recognizes there there is a cyber arms race, there is no discussion we have seen of a desire for an international treaty to limit the proliferation of cyber weapons.
WKZ
网络 空间 秩序 (wǎngluò kōngjiān zhìxù)
Cyberspace order. This term to refer to internal Internet conditions (within China), and also internationally. It reflects the China ideal notion of a type of stable and “ordered” international information system of Internet and “cyber space”.
网络 空间 治理 (wǎngluò kōngjiān zhìlǐ)
Cyberspace governance; internet governance.
网络 空间 主权 (wǎngluò kōngjiān zhǔquán)
Cyberspace sovereignty. This is a broad concept. In general, it considers that Chinese networks are integral to the nation and themselves are connected with national sovereignty. Therefore, an attack on Chinese cyberspace is the same as an attack on the landmass of China.
网络 空间 战略 资源 (wǎngluò kōngjiān zhànlüè zīyuán)
Strategic resources of cyberspace. This concept does not appear in Western thinking and may be a unique perspective in China. It considers that cyberspace is a type of territory in which there are various “resources” that can be acquired and controlled. In the Chinese view, it is an important aspect of national cyberspace policy to acquire and control these resources.
WL
网络 伦理 (wǎngluò lúnlǐ)
Network ethics. Behavioral aspects of citizen activities online.
WS
网上 思想 文化 (wǎngshàng sīxiǎng wénhuà)
Online ideology and culture. This refers to type of values and behaviors of people that spend much time online, and to expected behavior and cultural norms presented.
WQ
网络 窃密 (wǎngluò qièmì)
Cyber espionage; Using the Internet to steal secret information. China does not specifically define “secret” information, but in practice has a very broad definition. Chinese rules concerning cyber espionage are similar to other countries.
WW
网络 威慑 战略 (wǎngluò wēishè zhànlüè)
Cyber deterrence strategy. There is no specific discussion of this in the cyber context. However, it presumably means that it is official Chinese policy to develop cyber weapons that can be used to counter-attack in case China itself is attacked in cyberspace.
WY
网络 谣言 (wǎngluò yáoyán)
Network rumors; Fake news and false information spread through social media. This is another class of prohibited information. The Chinese government spends significant resources on monitoring and controlling rumors.
XC
信息 传播 秩序 (xìnxī chuánbō zhìxù)
Information dissemination order. Here the term “order” refers to a state in which everything is under strict control. So this implies that how information is distributed, and what the information is, should be under strict control. This, of course, is incompatible with Western thinking. It also may be incompatible with the Universal Declaration of Human Rights.
Y
淫秽 (yínhuì)
Obscenity. Same meaning as in the West, but obscene information is specifically prohibited by national policy. There is no exact definition of obscenity.
YX
应急 响应 (yīngjí xiǎngyīng)
Emergency response. This has the same meaning as in English, and in the West. It refers to quick response in case of a computer network emergency, such as a massive denial of service attack.
有害 信息 (yǒuhài xìnxī)
Harmful information.
有害 信息 (yǒuhài xìnxī)
Harmful information (harmful to national security or national interests). Chinese doctrine defines large classes of harmful information, and there is a specific policy to prevent this harmful information from spreading.
YZ
依法 治理 网络 空间 (yīfǎ zhìlǐ wǎngluò kōngjiān)
Governance of cyberspace according to the law; (Lit. According to the law govern cyberspace). This concept sounds neutral, but actually it is a more limited concept than found in the West. In the Chinese view, the “law” will be determined by governments and multilateral institutions without significant input from multi-stakeholder groups. So what this phrase means is something like “government monopoly on Internet governance”.
ZA
政治 安全 (zhèngzhì ānquán)
Political security. This term is unique to China. It has no equivalent in the West. In general, it refers to political stability or the credibility of the political system. Within the context of cyberspace doctrine, “political security” is a risk factor. That is, there is a fear that content transmitted on the Internet will generate or magnify dissent against the political system. In the Chinese context, it is government policy to censor or otherwise prevent such information from being transmitted through the Internet.
cyberarmscontrolblog 