cyberarmscontrolblog

International Agreement for Control of Cyber Weapons

Category: Cyber Arms Control

Microsoft’s Brad Smith Favors Cyber Arms Control

Steve Ranger on ZDNet reports on a recent presentation by Microsoft President Brad Smith. Like other tech-saavy observers, Smith worries about a Cyber Arms race that is out of control, and is in favor of doing something about it. See his blog post: “The Need for a Digital Geneva Convention“.

 

 

Advertisements

USA –– The World’s Cyber Superpower


A Cyber Superpower

The United States of America is the World’s cyber superpower.

History shows that the revolution in computing and information technology started not in the United States, but instead in England. But as the onslaught of the Second World War began to dim the starched and crusty sun of the British Empire, the world’s center of computing innovation shifted to the United States, and has never left. Today, the United States has emerged as the world’s cyber superpower. No other country comes close, in fact, the rest of the world added up together does not equal the cyberpower of the United States. Nevertheless, with cyber-greatness, comes cyber-vulnerability, and thus the United States faces many challenges going forward.

Technology Growth and Innovation

Birth of Computing. The foundations of computing were defined by Alan Mathison Turing (1912-1954), an English mathematician in his paper “On Computable Numbers, with an Application to the Entscheidungsproblem” delivered to the London Mathematical Society in 1936. After a long discussion, he writes “If this is so, we can construct a machine to write down the successive state formulae, and hence to compute the required number.” (Don’t try to read the paper unless you know a great deal of math.  A better explanation is found in Andrew Hodges book “Alan Turning: The Enigma“.)

Turing was recruited to work at Bletchley Park, the center of the UK’s codebreaking operation during the Second World War. The central challenge was learning how to break the enigma coding machine. Turing and his team built the world’s first electro-mechanical machine to break the code (bomba kryptologiczna [Polish]). Eventually the German Navy deployed an improved enigma machine with more coding rotors. This blunted the English effort.

Nevertheless, the United States Naval Computing Machine Laboratory at a secret location in Dayton, Ohio started work on a more advanced code-breaking machine using vacuum tubes. You can see a picture of the U.S. Navy Cryptanalytic Bombe at the National Security Agency’s (NSA) National Cryptologic Museum here. The Museum has a picture of coding rotors on its facebook page here. This project was located in “Building 26” on the campus of the National Cash Register Machine company. This is where the future founder of IBM worked.

Growth of Computing. The history of computing is long, but most of the book was written in the United States. In particular, the release of the IBM System 360 included the first operating system. Mainframe computers, minicomputers, personal computers, handheld computers, integrated circuits, and so on. Much of this evolution was powered by companies in Silicon Valley, but also around Route 128 in Boston. As a note, much work in development of supercomputers was funded by NSA, especially the work of Seymour Cray.

Telecommunications and Networking. Most of the world’s innovation in telecommunications and networking has occurred in the United States. There is no need here to retell the long history of developments: Telegraph, Telephone, Radio & Television, Satellite, Internet, Mobile Cellular Technology. (See Desmond Chong’s comments here.) The Internet now connects most citizens of the world. (See: Internet Society report here.) From 1992 to 2015, the number of websites grew from 10 to 863,105,652 and from 1993 the number of Internet Users grew from 108,935 to 3,185,996,155. (See Internet Live Stats.)

This growth of “cyberspace” in effect has created an entirely new virtual geography for conflict between nation states.

Control of Cyber Infrastructure. Apart from manufacturing much of the technology, US companies produce the software, cloud systems, other Internet based services, and social media systems that dominate the world. There is no European Google, for example. Companies such as Google, Facebook, Twitter, Microsoft, IBM, Apple and others dominate the world’s ICT landscape.

Emergency Response to Cyber Attacks

In the Post-9/11 world, the United States has built up and incredible infrastructure to defend against terrorism and respond to it promptly once it occurs.  These investments envision threats from weapons of mass destruction, lone wolf terrorist attacks, Electromagnetic Pulse (EMP), and cyber attacks. A few days after the September 11th attack, the US Congress handed over to the executive $40 billion dollars to “get started” on building these defensive systems. Then it wrote another check and another. The total amount invested is classified.

Investments were made in two direction; foreign intelligence, and emergency response in the homeland.  Although the development of foreign intelligence capabilities using cyber espionage is secret, revelations from illegal criminal leaks published by the traitor Edward Snowden and the brutal Wikileaks, plus high quality yet legal investigative reporting by authors such as Dana Priest and William M. Arkin (Top Secret America: The Rise of the New American Security State) suggest the incredible capabilities of the United States.

  • A large amount of all Internet traffic worldwide is intercepted, stored, and subjected to analysis by organizations such as the National Security Agency (NSA).
  • A large amount of telephony traffic is intercepted and stored, then used for analysis of a number of problems.
  • Breakthroughs in artificial intelligence and other innovations in software have greatly expanded the effectiveness of intelligence analysis (although there are constant complaints that much more information is being collected than can be analyzed).
  • In response to the threat of terrorism, the USA has greatly increased the integration of law enforcement and intelligence gathering and analysis by building fusion centers linking local and state resources (police; emergency response) into the Federal Government.
  • The U.S. Military has been tasked with responding to threats that occur within the United States (and this requires it to collect and analyze threat data originating from within the country).

To put it in simple terms, apart from its not inconsiderable activities overseas, the United States has trained its military to fight, defend infrastructure, and collect intelligence within the United States itself.

Result: There has been a blurring of lines of responsibility between local, state, and Federal efforts to fight a cyber war.

The result is a nation state with dominant cyberpower:

  1. Control over the bulk of cyber technology.
  2. Largest and most sophisticated intelligence collection and analysis systems.
  3. World wide response capabilities, both kinetic and cyber, both offensive and defensive.
  4. The largest penetration into cyber networks around the world.
  5. Highest level of integration between cyber intelligence and cyber response.

Since 9/11, the United States in the cyber arena likely has invested more than 25 times as much as any nation that is in a distant second place. There is a cyber arms race, and the United States is winning, and will continue to do so for the foreseeable future (providing it keeps investing, as it probably will).


What is “Cyber Power”?

It is difficult to have an undisputed definition of cyberpower, but as a starting point, we can say that for a nation state, it may be defined by the following factors:

  1. w1 – The number of cyber-weapons deployed and under the control of the nation-state.
  2. w2 – The percentage of zero day cyber weapons deployed and under the control of the nation-states.
  3. p1 – The maximum number of cyber warfare operators per capita that are on duty under peak deployment.
  4. p2 – The maximum number of volunteer or militia cyber warfare operators that may be deployed to support the government.
  5. Rg – The number of websites that may be attacked by government cyber fighters.
  6. Rp – The number of websites that may be attacked by militia cyber warfare operators.
  7. e1 – The number of emergency response centers dedicated to monitoring cyber attacks and coordinating response.
  8. e2 – The number of emergency response centers with cyber-response capabilities.
  9. e3 – The number of emergency response centers with capabilities to respond to secondary targets of a cyber attack, e.g., infrastructure damage, but with no cyber capabilities.

Cyberpower might be estimated as follows:

(9[w2w1]+[w1-9{w2w1}]+3.5p1+p2) * (Rg+.6Rp) + (.9e1+.4e2+.15e3)

Getting this type of data, applying proper quantification and operationalization of the relationships, however, is somewhat problematical, to say the least.


Lingering Challenges Going Forward

Government and Private Sector Coordination. The United States has a peculiar arrangement whereby the government is responsible for defense of the nation, but is unable to control how private enterprises, and the private sector in general, avails itself of defensive technologies. The private sector is left to defend itself.  For example, Under the National Security Agency (NSA), the Cyber Command (“Cybercom”) component is responsible for development of both offensive and defensive cyber weapons. However, it is not clear at all how and under which specific circumstances the power of Cyber Command would be used. See Figure 1.

CYBER-ATTACK-RESPONSE.001

Figure 1 –– Attack and Defense in Cyberspace. The US Government (NSA’s Cyber Command) is tasked with defending the U.S. Government from cyber attacks. But in case of cyber attacks against important private sector components, including infrastructure, there is no clear role or authority.

As of 2018 Cyber Command should have a 6,200 member force.  It is under the command of the U.S. Strategic Command, which also is in charge of the USA’s nuclear weapons. This number, 6,200 might possibly be only a fraction of the true size of Cyber Command, considering that it is common practice in  many parts of the U.S. government, including the military, to make extensive use of outsourcing and subcontractors to get its work done. If the government employee/subcontractor ratio for other parts of the government is applied to Cyber Command, then a force of 27,900 might be more realistic.

Since it operates under the auspices of the National Security Agency (NSA), Cyber Command has responsibility for protecting the communications, including data communications and thus data processing and ICT infrastructure, of the United States Government. Presumably this means that should government ICT infrastructure come under attack from another nation state, Cyber Command could respond. The rules of cyber war are not yet worked out because it is difficult to have a “cyber war”, without any real “war”. And if there is not real “war”, then presumably government weapons would not be used to fight the conflict.

This leaves a vulnerability for the United States. If the private sector, including the USA’s vast infrastructure (electricity, transportation, finance, business process computing, communications, distribution), came under attack, it is not clear that the NSA would respond. Perhaps it has standing orders to aid the private sector, but it is difficult to see how this could happen except through the mechanism of providing warning and advice to victims of cyberattacks.

It is possible that cyber militia might be used by either the private sector or by the government, but there is not much known about this possibility, and in any case, there would be legal and regulatory barriers for this to be done by the government.

This leaves open the challenge of coordination.

Focus and Coordination. Within the U.S. government, as well as the states and local jurisdictions, a large number of fusion centers and other points of shared operational responsibility has been developed and deployed. Everything from response to a chemical biological attack to a full scale nuclear war has been prepared for. There is a particularly vigilant infrastructure in place to handle the aftermath of a severe terrorist attack against any community.  But these centers specialize in different areas: some on electricity, others on public health, terrorism, or a number of other focus area. They have different degrees of cyber defense and response capabilities, if any at all.

But we can be sure that in any cyber emergency, it will be very difficult to coordinate the activities of these many centers and there is no integrated cyber response plan to do so.

Effectiveness Against Cyber Attack

So looking below at Figure 2, we might hypothesize that there is an optimum number of centers of cyber excellence that determines the level of effectiveness against a cyber attack. In the initial stages of build-up, there is a rapid rise in effectiveness.  But if too much is built, the response teams will face increasing difficulty in coordinating their response, and the effectiveness will start to fall, even as investments continue to rise.

RESPONSE-EFFECTIVENESS.001

Figure 2 – Too much cyber defense might weaken the overall national efforts. Response to cyber attacks are coordinated a various national centers. As the number of these centers increases, the effectiveness of response increases, but never becomes perfect. But it never approaches perfect. At some point further increases in cyber response centers weakens national cyber defense because of the cost of coordination.


Control of the Proliferation of Cyber Weapons

Cyber Arms Control.  Understanding the prospects of cyber arms control must be based on realistic assumptions about nation state motivation. when seeking international agreement, the cardinal rule is that no nation state will support any regime that does not yield it a benefit. So any international convention to control the proliferation of cyber weapons most present some advantage for each nation in acquiescence. A “win-win” scenario, to use popular game theory lingo. So from the point of view of the United States, we must examine if it is possible to identify any specific advantages from such a treaty. Here are a few to consider:

  1. Uncertainty Mitigation. The exchange of information between nation states, even if imperfect (as it certainly will be), will lessen the uncertainty surrounding a potential cyber attack or cyber war.  This is because it will be necessary to keep a tab on the development of new cyber weapons by competing nation states. In addition, an international warning and coordination system for potential cyber war will enable the USA to better allocate the correct forces for the attack. In the absence of mutually exchanged information concerning the cyber weapons arsenals of the USA’s strategic competitors, there will be a tendency to over-build cyber-weapon counter-measures, thus wasting resources, and leading to further uncertainty. Finally, getting an insight into the cyber warfare operations and capabilities of its strategic competitors (China and Russia) will be less problematic and more accurate than obtaining an incomplete picture using traditional espionage and intelligence collection methods. In general, any regime that can lessen uncertainty in cyber war would be a stabilizing factor.
  2. Law Enforcement. International enforcement against cyber-based crime currently faces many serious obstacles. A short list includes: (1) extradition of cyber-criminals from one jurisdiction to another; (2) rules of evidence that are internationally recognized; (3) attribution of criminality and responsibility; and (4) variances in definitions of crimes. By putting in place the type of government-to-government coordination required for a successful cyber arms control regime, part of its function, by necessity, would be to distinguish nation-state originating weapons from other cyber abuses. Since these other abuses are by default the responsibility of criminals, this would enhance international coordination and law enforcement to bring them to justice.

 

The Wikileaks Vault 7 “Year Zero” Leak

ON MARCH 7th, 2017, Wikileaks released a giant file of 8,761 documents from the U.S. Central Intelligence Agency (CIA). Wikileaks called the leak the “first full part of the series “Year Zero”.  The documents were stolen from a network that supposedly was “isolated” within the CIA itself.

CYBER-CIA-CHART.001

Figure 1: The structure of the CIA’s cyber weapons development group, according to Wikileaks.

What is surprising about the leak to Wikileaks is that it contains not only documentation regarding CIA development activities, but also the actual code (“several million lines of code”) used in these various exploits.

It appears that these cyber weapons allow almost any electronic device to be hacked for purposes of intelligence collection.

Since there already is a great deal of publicity regarding these weapons, there is no need to discuss them here.

Effect on U.S. National Security

If the leak is genuine, then this is another giant blow to the intelligence community.  It will make it easier now for criminals, terrorists, human traffickers, heroin cartels or others, including other nation states to deploy cyber weapons against the United States. It also will allow these enemies to avoid detection.

It further will erode faith in U.S. technology exports and harm U.S. technology companies.

The persons who leaked the information are traitors, and what they have done will result in people being killed or otherwise harmed. If they are found, then they should be prosecuted.

Wikileaks reports that approximately 22,000 IP addresses located within the United States were targets of these cyber weapons.

The Danger of Cyber Weapons Proliferation

As if they are some type of hero, the leaker wishes “to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

This blogger agrees that we should have a debate, but inflicting severe damage against the intelligence community is hardly the way to do it. An alternative debate might be whether or not the leaker should be shot. 

In any case, this leak emphasizes the following dangers of cyber proliferation:

  1. Unlike the difficulties found in nuclear proliferation, cyber weapons can be dispersed and moved around the world in seconds.
  2. It is impossible to determine who has access to cyber weapons once they are released.
  3. Cyber weapons are asymmetric in nature; that is, their cost is a tiny fraction of the value of damage they can cause.

The Need for Cyber Arms Control

This unfortunate compromise in U.S. national security again emphasizes the need for the nations of the world to begin the process of creating an international convention for cyber arms control.  The proliferation of cyber weapons needs to be stopped before there is a tremendous disaster.

 

Détente in Cyberspace

Prospects for “Cyber Détente”

In his analysis of why détente between the United States and the Soviet Union broke down in the period of 1975 to 1980, Olav Njølstad, of the Norwegian Nobel Institute, identified five factors. We can test these factors to today’s environment to suggest the prospects for conclusion of an international treaty for the control of cyber arms proliferation.

Détente was a policy adopted by the Soviet Union and United States to lessen geopolitical tensions, establish mutually beneficial relationships, and importantly, engage in strategic (nuclear) arms control. It resulted in the conclusion of the SALT I treaty, but not the SALT II treaty. (SALT = “Strategic Arms Limitations Talks“)

Nølstad’s Five Factors

Here are Njølstad’s Five Factors and what they might suggest for cyber arms control.

Factor 1
Lack of Mutual Trust

Njølstad argues that the leaders of the USA and USSR never really trusted each other. Although between Nixon and Brezhnev there gradually had been a build-up of personal trust, the large interest groups led by elites on both sides never understood each other. Nixon, for example, had Brezhnev out to his home in California for extensive discussions, and the photographs of the moment show a relaxed cordiality and workmanlike attitude present between these two leaders. But when Nixon left office, one leg of the table collapsed, and things fell apart finally under the administration of Jimmy Carter.

Application to Cyber Arms Control. It is difficult to judge the amount of “trust” between the superpowers today. But it is safe to assume that it is not different from twenty years ago, and may be even worse. Under that line of thinking, the lack lack of trust argues against agreement on a cyber treaty. A counter-argument may be that unlike the situation in the Cold War, in cyberspace, there is not such a compelling groups of elites on either side.  That is, whereas in the kinetic warfare realm, there automatically is a sharp division between competing parties, in the cyber realm the interest group may be the entire Internet community, worldwide. An additional consideration is that there is no strong “cyber war” faction we have noticed at least in the United States. Or is there? A counter-counter argument is that the cyber realm is so new, sensitivities are such that it is much more difficult to build trust, in no small part because so little is understood of this new realm of interaction between nation states.

Conclusion: The lack of trust will inhibit agreement on a cyber arms limitation treaty.

Factor 2
Absence of Common Value and Visions.

Njølstad also argues that the United States and Soviet Union had very different values, and this was another element in why détente fell apart. In its simplest form, this difference was Communist orthodoxy versus the human rights, democracy and justice values of the United States. In the Communist view, “peaceful coexistence” was possible between the superpowers, but there always would remain a competition in the realm of ideology. Many observers have argued that the Third Basket of the Helsinki Accords, concerning human rights, was responsible for generating a wave of anti-regime behavior throughout the Soviet Union, ultimately leading to its collapse.

Application to Cyber Arms Control. As pointed out elsewhere in this blog, China, Russia and the United States have very different views regarding Internet governance, and regarding the role of information in society. In particular, in Russia and China, there is an acceptance of the role of the government in controlling information and communications. Generally, these actions of censorship, or information regulation, are carried out with a view to maintaining stability. So that is a very different point of view from much of the West. The counter-argument is that whereas there are different views on the role of government in controlling information, there actually is an almost perfect agreement regarding the need to control cyber crime. In this connection, there is obviously a great potential for international agreement. The counter-counter argument is that although there is a shared interest in controlling cyber crime, this does not necessarily translate into interest in getting cyber arms control.

Conclusion: There are strong points of agreement between the superpowers on the need to control cyber crime. This would indicate potential for some type of international agreement to help accomplish this goal. In this connection, different philosophies regarding the role of government in controlling information is not relevant. So there are places where it should be possible to reach international agreement, but it remains to be seen what advantage countries would have in limiting their own ability to develop and deploy cyber weapons.

Factor 3
Lack of Real Economic Interdependence

Between the United States and Soviet Union, there was no substantial economic interdependence. There was little produced in the Soviet Union that was needed in the United States. The Soviet Union produced little of value except oil and raw materials. More than 40% of its GDP was being spent in the military industrial complex, and almost all of the money from oil exports was being used to pay for importation of meat and grains from the West. In addition, the Soviet Union was burdened by its overseas commitments, all of which were costing substantial amounts of money. Njølstad’s notion is that had there been greater economic integration, then this would be a booster of détente, or at least something to prevent its deterioration.

Application to Cyber Arms Control. Between China and the United States, there is significant economic integration; between the US and Russia, the situation has not changed much since the 1980s. Between China and Russia, there is some trading for energy, but little else. Compared to China, Russia’s economy is very small. In the area of cyberspace, the United States is dominant, and it does not need either of the other two markets to have a viable Internet ecosystem. Nevertheless, there is acknowledgement on all sides that cyberspace, the Internet, plays a crucial role in economic development. Therefore, it is a priority on all sides for the Internet to continue to function so that infrastructure and economic functions can continue to operate smoothly. Even though each nation views development of defensive weapons in its own jurisdiction a sovereign right, in the realm of cyberspace, there may be an incentive on all sides to reach agreement on international procedures and other mechanisms to keep cyberspace open for business.

Conclusion: Favorable for cyber arms control.

Factor 4
Mutual Lack of Constraint

Njølstad argued there is a “zero-sum logic of Cold War geopolitics”. That is, if one side gained, the other lost. In the Cold War, there was a mistaken tendency for the two superpowers to consider detente to be a bilateral matter but without reference to competition taking place in the developing world. So under this thinking, it would be possible to continue to probe for geopolitical advantages elsewhere while maintaining détente between the superpowers themselves. It didn’t work. The Soviet invasion of Afghanistan, and the problems in the Middle East, Angola and the Horn of Africa (Ethiopia, Somalia) led to continued problems. The fall of the Shah of Iran and the Soviet Invasion of Afghanistan led to the “Carter Doctrine” which threatened war if the Soviet Union moved to exert control in the Persian Gulf. It also lead to a giant military build-up, which President Reagan inherited.

Application to Cyber Arms Control. For this analogy to work, we would need to see evidence of continued probing for advantage in cyberspace while at the same time attempting to maintain a regime of cyber arms control. We can expect that nations would continue to engage in cyber espionage, and therefore it would not be possible to have any international agreement limiting this important government function, on any side. On the other hand, cyberspace is such that there may not necessarily be a zero sum game. Does innovation in one area (country, application portfolio) automatically lead to losses on the other side? One could argue “yes”, and give the example of how China has discriminated against foreign social media and other Internet services groups so as to create its own native Chinese companies. But it is difficult to show harm to the other side, which continues to grow and prosper. It can also be argued that the interest in keeping the Internet running will be strong enough to encourage work at international agreements that limit cyber weapons and their proliferation.  For example, cyber weapons should not be allowed to fall into the hands of non-state actors (information terrorists). This would be also the case if other nations were coaxed into joining the control regime, because the superpowers would see the treaty as a way to limit weapons developed elsewhere. This would limit threats to Internet (cyberspace) stability and thus be of benefit to everyone. And at the same time it would not prevent competition from continuing.

Conclusion: Favorable for cyber arms control.

Factor 5
Dynamics of the Arms Race

Njølstad argues that on each side there were “intellectual, institutional, and economic pressures” coming from “groups, companies, and bureaucracies with a vested interest in the arms race”. As a result, it became much easier after détente began to weaken to raise voices calling for a harder line. In the same way Carter eventually was overwhelmed by hard liners, Brezhnev faced the same problem in the Soviet Union with pressures from the military and intelligence parts of the government.

Application to Cyber Arms Control. There is no strong institutional or economic pressure to continue building cyber weapons. They are not expensive to build. For example, the cost of cyber arms are nothing compared to the price of rolling out a new strategic bomber, fighter jet, or missile system. So we can conclude that there is no such strong institutional lobby standing by to back up hard liners should this possibility emerge.

Conclusion: Favorable for cyber arms control.

Overall Conclusion

Njølstad’s analysis gives crucial insights into why détente between the Soviet Union and the United States eventually fell apart. When we apply these same factors to the possibilities for cyber arms control, the picture is not as negative. But it is not completely positive either.

Note

One limitation (of many) in this analysis is that détente was seen as a bilateral policy between the United States and the Soviet Union. This is quite different from what would be required for the negotiation of a multilateral treaty for cyber arms control. So in a strict sense, applying a bilateral framework of explanation against a possible multilateral problem set is problematical. The counter-argument to this is that in arms control, leadership can be shown by superpowers, with the prospect that smaller less consequential nations will follow the example of the superpowers. A second counter-argument is that this bilateral framework can be applied to any set of multi-lateral relationships. For example, one could apply it to US-Russia relations, then to US-China relations, then to Russia-China relations. So it probably is possible to apply it to multilateral relations, although that is not its original design intent.

Reference

Olav Njølstad, “The collapse of superpower détente, 1975-1980”, in Melyn P. Leffler and Odd Arne Westad, Eds., The Cambridge History of the Cold War, Vol. III Endings, Cambridge U. Press, 2010, pps. 135-155

Russian Negotiating Positions on Cyber Warfare

Difficulty in Controlling Cyber Weapons

One of the chief criticisms of an international treaty for the control of cyber weapons is that countries simply would not agree to it because there is a risk of lessening nation state power. After all, why would a nation-state agree to limit its own cyber weapons.

Since the Russian Federation is a powerful actor in the cyber realm, it may be useful to examine its national cyber security objectives and then extrapolate to estimate Russia’s positions in any proposed international negotiations.

russian-negotiation-positions-001

Figure 1 – Inference of Russian Negotiating Positions in connection with cyber warfare and related information operations.

Russian Priorities for International Agreements on Cyber

Much of Russia’s Information Security Doctrine (ДОКТРИНА информационной безопасности Российской Федерации) is defensive in nature. Consequently, the threat recognized by the Russian Federation is the same as in other countries, including those in the European Community and United States.

Financial Crimes and Privacy Cyber Crimes. All countries recognize that financial crimes or stealing of personal information on citizens by hackers are criminal acts. In the Russian Federation, these are recognized also as serious crimes. The practical result is that Russia will be open to negotiations on any international treaty that strengthens law enforcement of international cyber crimes involving theft of money or personal information.

Hacking and Attacks on Cyber Infrastructure. Like in other countries, hacking attacks that are aimed at harming cyber infrastructure are illegal in Russia. Recent reports indicate the Duma (the Russian Congress or Parliament) is considering strong prison sentences for anyone convicted of harming cyber infrastructure through hacking. Again, the practical result is that negotiations that aim to increase international cooperation to combat this type of hacking should be possible between Russia and other nations.

Extradition Treaties. There have been a number of cases in which Russian authorities have wanted a criminal hiding in the West to be handed over, and a number of cases in which criminals located in Russia have been targeted for arrest outside of Russia. For the time being, there is no automatic way to handle extradition. Some countries, such as Israel, simply refuse to extradite their own citizens. We can expect that Russia might be willing to engage in negotiations with a limited purpose of agreeing to extradition arrangements for cyber criminals that are located overseas and yet through their criminal actions inflict harm in Russia. In order to have reciprocity, Russia would need to agree to hand over Russian citizens when they are indicted abroad for cyber crimes.

The general problem with extradition is that each nation handing over its citizens must be confident that the type of justice the person will receive in the receiving country is comparable to the standards found in their own country. For the time being, many countries do not recognized the Russian legal system as having sufficient level of quality to provide credible guarantees. Nevertheless, it might be possible to engage in negotiations, providing there is discussion of a special type of legal protocol for cyber-crimes. This would be a potentially useful area for international legal scholarship and exchange of information. There are many problem, not the least of which is the rules for evidence required for conviction. Nevertheless, until there are such arrangements in place, any extraditions will be handled by nation states on a case-by-case basis.

Information Operations Targeting Russia. In the Russian way of thinking, there is a danger of information operations being conducted by foreign parties against Russia. These are divided into two classes: Class 1 are actions taken inside Russia by organizations that have some connection, usually funding, from non-Russian sources; Class 2 are information operations conducted outside of Russia, even aimed at citizens of other nations, that harm the image of Russia or otherwise sow discord.

Although the Universal Declaration of Human Rights (Всеобщая декларация прав человекаis generally used as a basis for arguing that it is the right of every individual to communicate (even criticize) freely, Russia can plausibly argue that Article 29 ¶2 places limits on communications that disturbs morality, the public order, or general welfare of a nation.  The concept of public order (ordre publique) is very broad in nature. The consequence is that Russia has a legal argument. In addition, Article 30 prohibits information and communication that has the effect of destruction of rights and freedoms.  As a consequence, Russia has an argument that their broad definition of information threats to Russian sovereignty and public order are legal.

To go even further, it would by extension and analogy be possible to reference the United Nations Charter Articles 41 & 42 which give each nation state an inherent right of self-defense. As such, any nation should be able to defend itself against information operations that are a threat to its sovereignty or public order. The counter-argument to this line of thinking is that when the UN Charter was written, these articles referred specifically to military (kinetic) threats. So since information operations are not kinetic threats, then these self-defense articles do not apply. The counter-counter-argument that can be made is that although these Articles definitely apply to kinetic military operations, the major powers involved in the Second World War (Вели́кая Оте́чественная война́) all were heavily involved in various types of information operations. Therefore, since information operations at the time of the signing of the UN Charter were considered to be an inherent aspect of warfare, we can infer that the United Nations Charter and its inherent right of self-defense for nation states as seen in Articles 41 & 42 are inclusive of information operations.

The implication is that although it might be possible to engage Russia in discussions regarding an international agreement regarding control of information operations, the likelihood of success would be minimal because there is a conflict between the danger of information operations, and the need for freedom of the press. In addition, Russian media channels such as RT and Sputnik might be criticized in Europe or the United States in the same way CNN or Voice of America (VOA) might be criticized in Russia.   So the consequences are that Russia would be required to place limitations on the content of RT and Sputnik and all of its foreign media operations in exchange for other nations to do the same. These are unrealistic expectations for either Russia or any other nation to agree to, therefore, we can assess there is a very small chance we will see any successful negotiations on the international control of information operations conducted by nation states or major media channels. An additional complication is that the Internet already provides free access to most of the world’s television channels. (See Free Internet TV.)

Default to National Control. Since we can expect no international agreement to limit or control information operations, the only defensive solution is for nation states to take actions within their own territory to limit the supposedly corrosive influence of foreign information. This is the default position of the People’s Republic of China, and a number of other countries. Russia has not been as strict as China in this regard. The United States may be considering taking steps to limit the information operations of Islamic terrorist organizations such as ISIS (Daesh). This would represent a remarkable departure from a policy of almost 100% freedom of information.

Terrorist Propaganda.  Terrorist propaganda has been around for a long time, but the current debate is over control of ISIS (Daesh) propaganda that is being transmitted through various social media channels over the Internet. This may cause asyngnotic networks to emerge and trigger terrorist attacks. (See “The Cyber Intelligence Challenge of Asyngnotic Networks“.) The current trend is for nation states to consider censoring this information. Again, this will be done at the nation-state (default) level of control.

An additional argument that Russia might make in justifying these types of actions is found in Article 41 of the United Nations Charter. Here, the article specifically mentions “means of communications” as something that can be interrupted in order to maintain international peace and security.

Religious Dimension to Information Operations. There are arguments made that there should be no control over religious communications across borders, and that to limit these flows of information is to repress religious rights. The counter-argument is that there is no protection provided in any society for information of any type, even religious information, if it promotes hatred or racism, or incites violence. Therefore, “religious” communications from ISIS (Daesh) can be banned in all countries for public safety reasons. There is no “right” to transmit information that may cause people to become violent and endanger peace and security. No international agreement is needed to allow this type of censorship, as these rights of nation states already are written into treaties and agreements.

International Control of Cyber Espionage. Every nation spies, and every nation knows it. Espionage is information collection and analysis conducted by a nation state as a part of its national defense. Russia has a tradition of cooperating in sharing intelligence information under extremely limited circumstances, and when doing so is mutual, and the entire sharing operation is mutually beneficial. These agreements are made on a bilateral basis, and are not published or registered, so are beyond the scope of this analysis. Since every nation has an inherent right of self-defense, there will never be an international agreement to limit or control espionage, even that conducted via the Internet (“cyber espionage”).

Details of Russia’s Information Security Doctrine

By a Presidential Decree of December 5, 2016, Russia adopted a revised information security doctrine (ДОКТРИНА информационной безопасности Российской Федерации). What can we learn from this document that would anticipate Russian policy positions in international negotiations aimed at getting more cyber security for the world?

(Below is the original Russian. Above is not a translation, but instead is a gloss that summarizes the implications of the Russian doctrine. The pertinent Russian phrases have been underlined.)

II.7. Recognizes that information technology has developed into an international phenomena that is cross-border in nature.
(7. Информационные технологии приобрели глобальный трансграничный характер и стали неотъемлемой частью всех сфер деятельности личности, общества и государства.)

II.8(d). Suggests that the government of Russia desires to work at building an international political-legal framework that will help to stop use of information technology that harm stability and sovereignty. This is expressed as the desire for international agreements that will stop foreigners from using cyber to injure Russia’s “information space”.
((д) содействие формированию системы международной информационной безопасности, направленной на противодействие угрозам использования информационных технологий в целях нарушения стратегической стабильности, на укрепление равноправного стратегического партнерства в области информационной безопасности, а также на защиту суверенитета Российской Федерации в информационном пространстве.)

The Russian View of Cyber Threats

III.10. The international flow of information into Russia may help terrorists, extremists or other illegal activities. For example, under this way of thinking, the introduction of ISIS (Daesh) propaganda into muslim communities inside Russia is a serious cyber threat.
(Возможности трансграничного оборота информации все чаще используются для достижения геополитических, противоречащих международному праву военно-политических, а также террористических, экстремистских, криминальных и иных противоправных целей в ущерб международной безопасности и стратегической стабильности.)

III.10. There is a threat of information technology being introduced into Russia without having undergone adequate security testing, and without being integrated with the over-all national efforts at cyber security. (The United States does not have any such program.)
(При этом практика внедрения информационных технологий без увязки с обеспечением информационной безопасности существенно повышает вероятность проявления информационных угроз.)

III.12. Covert action by government secret organizations uses cyber for psychological warfare. In Russia, there is a view that human rights organizations (and others) may be secretly funded by foreign governments to weaken Russia. By “weaken” Russian doctrine means “destabilization of the political and social situation”.
(12. Расширяются масштабы использования специальными службами отдельных государств средств оказания информационно-психологического воздействия, направленного на дестабилизацию внутриполитической и социальной ситуации в различных регионах мира и приводящего к подрыву суверенитета и нарушению территориальной целостности других государств. В эту деятельность вовлекаются религиозные, этнические, правозащитные и иные организации, а также отдельные группы граждан, при этом широко используются возможности информационных технологий.)

III.13. Terrorist organizations use cyber to both sabotage Russia’s technical infrastructure, but also to distribute propaganda.
(Различные террористические и экстремистские организации широко используют механизмы информационного воздействия на индивидуальное, групповое и общественное сознание в целях нагнетания межнациональной и социальной напряженности, разжигания этнической и религиозной ненависти либо вражды, пропаганды экстремистской идеологии, а также привлечения к террористической деятельности новых сторонников. Такими организациями в противоправных целях активно создаются средства деструктивного воздействия на объекты критической информационной инфраструктуры.)

III.14. Hacking and computer crime targeting financial assets and private information.
(14. Возрастают масштабы компьютерной преступности, прежде всего в кредитно-финансовой сфере, увеличивается число преступлений, связанных с нарушением конституционных прав и свобод человека и гражданина, в том числе в части, касающейся неприкосновенности частной жизни, личной и семейной тайны, при обработке персональных данных с использованием информационных технологий.)

III.16. Governments of various nations use cyber to (a) attack Russian infrastructure; (b) conduct cyber espionage; (c) influence political and social stability.
(16. Состояние информационной безопасности в области государственной и общественной безопасности характеризуется постоянным повышением сложности, увеличением масштабов и ростом скоординированности компьютерных атак на объекты критической информационной инфраструктуры, усилением разведывательной деятельности иностранных государств в отношении Российской Федерации, а также нарастанием угроз применения информационных технологий в целях нанесения ущерба суверенитету, территориальной целостности, политической и социальной стабильности Российской Федерации.)

III.19. Internet governance is not equitable between nations. This is a threat because it makes it problematical for Russia to work at creating a system of international information security.
( 19. Состояние информационной безопасности в области стратегической стабильности и равноправного стратегического партнерства характеризуется стремлением отдельных государств использовать технологическое превосходство для доминирования в
информационном пространстве. Существующее в настоящее время распределение между странами ресурсов, необходимых для обеспечения безопасного и устойчивого
функционирования сети “Интернет”, не позволяет реализовать совместное справедливое, основанное на принципах доверия управление ими. Отсутствие международно-правовых норм, регулирующих межгосударственные отношения в информационном пространстве, а также механизмов и процедур их применения, учитывающих специфику информационных технологий, затрудняет формирование системы международной информационной безопасности, направленной на достижение стратегической стабильности и равноправного стратегического партнерства.)

Highlights of James Clapper Testimony

National Intelligence Director James Clapper; Mike Rogers, the Chief of NSA’s Cyber Command, and Marcel Lettre, a Defense Undersecretary for Intelligence testified today to the U.S. Senate Armed Services Committee. The overall theme of the hearing was supposed to be Russian interference in the recent presidential election in the United States. As it turns out, the intel community has not yet completed its study. Nevertheless, a few notes on the hearing are provided below.

The intelligence community has concluded that Russia interfered with the election and that the plan was directed and planned directly by the Kremlin, including with knowledge of the President of the Russian Federation.

No proof was offered, because to offer the proof would destroy intelligence collection methods.

cyber-war-matrix-001

Cyber War Matrix.

This was a long testimony. Here, the intent is only to report on what was said, that is, the major conclusions that have been made by the intelligence community regarding Russian hacking. The set-up to the testimony by Senator John McCain was tricky. He stated that attacks against election emails were “consistent” with Russian techniques of hacking, but he did not say the hacks were Russian.

2,000,000 personnel records of the U.S. government were stolen by China, according to McCain. “Indecision and inaction” has thus far been the U.S. response. The cost needs to be raised for conducting cyber attacks against the United States. The opening statement from the Democratic side blamed election problems on Russia. These statements were made by Jack Reed, Democrat, Rhode Island, who argued also that Russia takes these actions because democracy is a threat to countries near to Russia, which is in what it claims is its “sphere of influence”.

Marcel Lettre. Threats. DOD defines 5 challenges. Russian coercion and aggression, particularly in Europe. Historic change in Asia Pacific. Risks with China’s destabilizing actions there. Iranian influences in Middle East. North Korea nuclear provocations. And Terrorism fighting, ISIS and Al Qaeda. All of these present a cyber threat.

The DOD strategy is to maintain dominance in this domain. Three missions: Defend DOD networks; giver cyber options to commanders; defend US against cyber attacks. “Cyber Mission Force”  now is operational.

Clapper (DNI). Regarding Russian interference in the electoral process. Said that the Russian tools detailed in the NCCIC report showed how they influenced the election. Russia has increased cyber espionage operations, and has leaked crucial data. China continues to attack US government and US companies. Iran and North Korea continue improve their capabilities. ISIS is using Internet to collect funds, broadcast propaganda, and recruit new members. Cyber attacks can also change or alter information. All of this chips away at the public trust. All instruments of power should be used to respond to cyber attacks. Using cyber to counter cyber attacks. Recommends separating NSA and Cyber Command.

Rogers (Cyber Command and NSA).They are awaiting the findings of a joint intelligence review. Their conclusions still have not been collected. Russian cyber groups have “a history of aggressively hacking into others’ governments”.

McCain first started to discuss Julian Assange. Confirmed that Wikileaks published names of people who had their lives put in danger. No credibility should be attached to his views, according to Clapper, Rogers and McCain.  McCain does not believe Russian actions

“They did not change any vote tallies; we have no way to gage the impact it had choices of the election.” Would that be act an of war if elections were changed? That is a “very heavy policy call”, but it definitely should carry great gravity. No one seems to know what to do if there is a cyber attack. They report it, but remain bystanders.

A “deterrence and response” framework needs to be put into place. There is a conclusion that the Russians interfered in the election. CIA, NSA and DHS will create joint report. They DO conclude that Russia interfered in the election. Rogers (NSA) said largest problem is “speed; speed and speed”.

Fake news sites; fake news stories also were part of Russian actions. A multi-facited campaign. Hacking was only one part of it. It also included classical propaganda,  disinformation, and fake news. Russian’s used “classical tradecraft”, particularly for misinformation, to hide source of the news information.

“People in glass houses should not throw too many rocks”. The attack against the Office of Personnel Management (OPM) was an act of espionage, not a cyber-attack. We do the same type of espionage. “Large data sets have become a particular high priority target” because “it is possible to mine the data”, according to Rogers.

The implication of Clapper’s statement is that cyber-espionage is not an “attack”. This is because every nation does it.

“If there is any connection with the Internet, there is an inherent security vulnerability,” according to Clapper.

Senator Nelson (Florida) compared cyber war to nuclear war. He argued that there is “no deterrence” in the field of cyber. A cyber response to a cyber act “may not be the best response”, according to Clapper. Also, you never know “what kind of cyber-retaliation” will be bought back from the other side. “All instruments of national power” should be used.

If a country launches a cyber counter-attack, then it is necessary to use the infrastructure of other countries, and this brings up a variety of legal issues.

Senator Claire McCaskill, Missouri Democrat, was highly critical of any contact with Assange. He is under indictment by Swedish government for sexual crimes. He exposed information that put people at risk. The “people in the intelligence community do not have much respect for him.”

Conclusions

The intelligence community has not yet completed its report. There appears to be a significant amount of evidence that Russia participated in the election, but there is no hard evidence yet presented. The key actors that oppose the United States are (1)~Russia; (2)~China; (3)~North Korea; and (4)~Iran.

One theme emphasized several times was that there is little strategy developed for responding to cyber attacks. “We don’t have a strategy.”  Also, the coordination needed for a response is very complicated, and takes too long. This prevents the United States from have a coherent and effective response to a cyber attack. “We are being hit repeatedly because the benefits  outweigh the cost”.

There also were indications that the intel community may have an idea of what happened inside the Kremlin. This will not come to light, because it obviously would give away too much information about “sources and methods” of intelligence collection.

In addition, there is no policy of responding to acts of espionage because we do the same.

Bottom line: The current thinking is that the Russians at the highest levels approved of and directed the hacking campaign against the United States. In this context, it means President Putin himself. This is not really good news. Clapper sees Russian actions as being in the same tradition as the Cold War, like what happened in the 1960s.

Below is a rough sketch of the categories of cyber activities under discussion.

 

Prospects for Cyber Arms Control

There are two ways to think about the election hacking. First, there are arguments that political activity should be considered to be a “critical infrastructure”, and the consequence of this would be that such hacking would be considered to be an aggressive attack against the country. Second, the current line of thinking is that espionage (passive information collection) should be separated from collection of commercial industrial espionage, or political interference.

In the Cyber War Matrix, above, cyber arms control would apply to the warfare rows. There will never be any international agreement to limit espionage or active measures.