Steve Ranger on ZDNet reports on a recent presentation by Microsoft President Brad Smith. Like other tech-saavy observers, Smith worries about a Cyber Arms race that is out of control, and is in favor of doing something about it. See his blog post: “The Need for a Digital Geneva Convention“.
United States of America v. Dmitry Dokuchaev, a/k/a “Patrick Nagel,” Igor Sushchin, Alexsey Belan, a/k/a “Magg,” and Karim Baratov, a/k/a “Kay,” a/k/a “Karim Taloverov,” a/k/a “Karim Akehmet Tokbergenov” Defendants.
If we include economic espionage and unauthorized hacking as a type of cyber warfare, then this indictment released yesterday opens up a window into the techniques being used by organized crime, individuals, and nation states, to get into computing systems and steal or manipulate information.
Here are a few of the techniques exposed in the indictment:
Judging from the indictment, the hackers focused primarily on Russian nationals, or people who in some way were associated with a Russian interest. Here are a few examples of targets:
In addition, one of the hackers ran an e-commerce scam on the side and seemed to have earned a bit of money from it. The indictment demands seizure a grey Aston Martin DBS and a black Mercedes Benz C54, among other assets such as a number of PayPal accounts.
There are a number of violations cited in the indictment. They can be divided up into classes:
General hacking violations. Conspiracy to commit computer fraud and abuse 18 USC §1030(b); Unauthorized access to protected computers 18 USC §1030(a)(2)(C); Damaging protected computers §1030(a)(5)(A); and Trafficking in counterfeit access devices §1029(a)(1).
Espionage. Conspiracy to commit economic espionage §1831(a)(5); Economic espionage §1831(a)(1); Conspiracy to steal trade secrets §1832(a)(5); Theft of trade secrets §1832(a)(1). These charges involve the access to Yahoo’s proprietary software that controls the User Data Base (UDB) and Account Management Tool (AMT).
It is interesting that the espionage charges relate only to Yahoo, whereas there also were other companies compromised.
Fraud and Identify Theft. The other charges related to Computer Fraud and Abuse §1020(b); Wire fraud §1349 (moving the money to and from PayPal and getting people to pay for products after being tricked into going to a different website); and Aggravated identity theft §1028(a).
The defendants involved are associated with the Russian Federal Security Service (FSB) [Федеральная служба безопасности Российской Федерации (ФСБ)] which is an intelligence and law enforcement agency of the Russian Federation and a successor service to the Soviet Union’s Committee of State Security (KGB) [Комите́т госуда́рственной безопа́сности (КГБ)]. Their office is in the old KGB headquarters building in Lubyanka Square in Moscow. The FSB is a military service of the Russian Federation.
It should be noted that the FSB is different from Russia’s Foreign Intelligence Service of the Russian Federation (SVR) [Слу́жба вне́шней разве́дки (СВР РФ)].
As a comparison, in the United States the CIA is responsible for foreign intelligence, and the FBI for criminal intelligence within the United States.
So the bulk of the espionage efforts by the defendants appears to be a Russian investigation of Russians. But the investigation was taking place inside US “cyber” territory. Other parts involve non-Russian citizens.
Does this set a precedent? Here are a few questions raised by this incident:
This blogger knows of no other time in history when espionage and intelligence activities by nation states has been subjected to this type of legal procedure. Does this set a dangerous precedent? Only time will tell.
Ultimately if there were a criminal investigation underway by the FSB, and the criminal investigation was of Russian nationals, then there should be a way for the FSB to file a surveillance request to US authorities, and then get assistance in the criminal investigation. This could happen if there were some type of reciprocal agreement for each country to aide the other in law enforcement actions. At this time, there is no such mechanism of international cooperation between governments that would allow this type of coordination.
This is one of the problems that could be solved by negotiation of an international convention for the control of cyber weapons.
In his analysis of why détente between the United States and the Soviet Union broke down in the period of 1975 to 1980, Olav Njølstad, of the Norwegian Nobel Institute, identified five factors. We can test these factors to today’s environment to suggest the prospects for conclusion of an international treaty for the control of cyber arms proliferation.
Détente was a policy adopted by the Soviet Union and United States to lessen geopolitical tensions, establish mutually beneficial relationships, and importantly, engage in strategic (nuclear) arms control. It resulted in the conclusion of the SALT I treaty, but not the SALT II treaty. (SALT = “Strategic Arms Limitations Talks“)
Here are Njølstad’s Five Factors and what they might suggest for cyber arms control.
Njølstad argues that the leaders of the USA and USSR never really trusted each other. Although between Nixon and Brezhnev there gradually had been a build-up of personal trust, the large interest groups led by elites on both sides never understood each other. Nixon, for example, had Brezhnev out to his home in California for extensive discussions, and the photographs of the moment show a relaxed cordiality and workmanlike attitude present between these two leaders. But when Nixon left office, one leg of the table collapsed, and things fell apart finally under the administration of Jimmy Carter.
Application to Cyber Arms Control. It is difficult to judge the amount of “trust” between the superpowers today. But it is safe to assume that it is not different from twenty years ago, and may be even worse. Under that line of thinking, the lack lack of trust argues against agreement on a cyber treaty. A counter-argument may be that unlike the situation in the Cold War, in cyberspace, there is not such a compelling groups of elites on either side. That is, whereas in the kinetic warfare realm, there automatically is a sharp division between competing parties, in the cyber realm the interest group may be the entire Internet community, worldwide. An additional consideration is that there is no strong “cyber war” faction we have noticed at least in the United States. Or is there? A counter-counter argument is that the cyber realm is so new, sensitivities are such that it is much more difficult to build trust, in no small part because so little is understood of this new realm of interaction between nation states.
Conclusion: The lack of trust will inhibit agreement on a cyber arms limitation treaty.
Njølstad also argues that the United States and Soviet Union had very different values, and this was another element in why détente fell apart. In its simplest form, this difference was Communist orthodoxy versus the human rights, democracy and justice values of the United States. In the Communist view, “peaceful coexistence” was possible between the superpowers, but there always would remain a competition in the realm of ideology. Many observers have argued that the Third Basket of the Helsinki Accords, concerning human rights, was responsible for generating a wave of anti-regime behavior throughout the Soviet Union, ultimately leading to its collapse.
Application to Cyber Arms Control. As pointed out elsewhere in this blog, China, Russia and the United States have very different views regarding Internet governance, and regarding the role of information in society. In particular, in Russia and China, there is an acceptance of the role of the government in controlling information and communications. Generally, these actions of censorship, or information regulation, are carried out with a view to maintaining stability. So that is a very different point of view from much of the West. The counter-argument is that whereas there are different views on the role of government in controlling information, there actually is an almost perfect agreement regarding the need to control cyber crime. In this connection, there is obviously a great potential for international agreement. The counter-counter argument is that although there is a shared interest in controlling cyber crime, this does not necessarily translate into interest in getting cyber arms control.
Conclusion: There are strong points of agreement between the superpowers on the need to control cyber crime. This would indicate potential for some type of international agreement to help accomplish this goal. In this connection, different philosophies regarding the role of government in controlling information is not relevant. So there are places where it should be possible to reach international agreement, but it remains to be seen what advantage countries would have in limiting their own ability to develop and deploy cyber weapons.
Between the United States and Soviet Union, there was no substantial economic interdependence. There was little produced in the Soviet Union that was needed in the United States. The Soviet Union produced little of value except oil and raw materials. More than 40% of its GDP was being spent in the military industrial complex, and almost all of the money from oil exports was being used to pay for importation of meat and grains from the West. In addition, the Soviet Union was burdened by its overseas commitments, all of which were costing substantial amounts of money. Njølstad’s notion is that had there been greater economic integration, then this would be a booster of détente, or at least something to prevent its deterioration.
Application to Cyber Arms Control. Between China and the United States, there is significant economic integration; between the US and Russia, the situation has not changed much since the 1980s. Between China and Russia, there is some trading for energy, but little else. Compared to China, Russia’s economy is very small. In the area of cyberspace, the United States is dominant, and it does not need either of the other two markets to have a viable Internet ecosystem. Nevertheless, there is acknowledgement on all sides that cyberspace, the Internet, plays a crucial role in economic development. Therefore, it is a priority on all sides for the Internet to continue to function so that infrastructure and economic functions can continue to operate smoothly. Even though each nation views development of defensive weapons in its own jurisdiction a sovereign right, in the realm of cyberspace, there may be an incentive on all sides to reach agreement on international procedures and other mechanisms to keep cyberspace open for business.
Conclusion: Favorable for cyber arms control.
Njølstad argued there is a “zero-sum logic of Cold War geopolitics”. That is, if one side gained, the other lost. In the Cold War, there was a mistaken tendency for the two superpowers to consider detente to be a bilateral matter but without reference to competition taking place in the developing world. So under this thinking, it would be possible to continue to probe for geopolitical advantages elsewhere while maintaining détente between the superpowers themselves. It didn’t work. The Soviet invasion of Afghanistan, and the problems in the Middle East, Angola and the Horn of Africa (Ethiopia, Somalia) led to continued problems. The fall of the Shah of Iran and the Soviet Invasion of Afghanistan led to the “Carter Doctrine” which threatened war if the Soviet Union moved to exert control in the Persian Gulf. It also lead to a giant military build-up, which President Reagan inherited.
Application to Cyber Arms Control. For this analogy to work, we would need to see evidence of continued probing for advantage in cyberspace while at the same time attempting to maintain a regime of cyber arms control. We can expect that nations would continue to engage in cyber espionage, and therefore it would not be possible to have any international agreement limiting this important government function, on any side. On the other hand, cyberspace is such that there may not necessarily be a zero sum game. Does innovation in one area (country, application portfolio) automatically lead to losses on the other side? One could argue “yes”, and give the example of how China has discriminated against foreign social media and other Internet services groups so as to create its own native Chinese companies. But it is difficult to show harm to the other side, which continues to grow and prosper. It can also be argued that the interest in keeping the Internet running will be strong enough to encourage work at international agreements that limit cyber weapons and their proliferation. For example, cyber weapons should not be allowed to fall into the hands of non-state actors (information terrorists). This would be also the case if other nations were coaxed into joining the control regime, because the superpowers would see the treaty as a way to limit weapons developed elsewhere. This would limit threats to Internet (cyberspace) stability and thus be of benefit to everyone. And at the same time it would not prevent competition from continuing.
Conclusion: Favorable for cyber arms control.
Njølstad argues that on each side there were “intellectual, institutional, and economic pressures” coming from “groups, companies, and bureaucracies with a vested interest in the arms race”. As a result, it became much easier after détente began to weaken to raise voices calling for a harder line. In the same way Carter eventually was overwhelmed by hard liners, Brezhnev faced the same problem in the Soviet Union with pressures from the military and intelligence parts of the government.
Application to Cyber Arms Control. There is no strong institutional or economic pressure to continue building cyber weapons. They are not expensive to build. For example, the cost of cyber arms are nothing compared to the price of rolling out a new strategic bomber, fighter jet, or missile system. So we can conclude that there is no such strong institutional lobby standing by to back up hard liners should this possibility emerge.
Conclusion: Favorable for cyber arms control.
Njølstad’s analysis gives crucial insights into why détente between the Soviet Union and the United States eventually fell apart. When we apply these same factors to the possibilities for cyber arms control, the picture is not as negative. But it is not completely positive either.
One limitation (of many) in this analysis is that détente was seen as a bilateral policy between the United States and the Soviet Union. This is quite different from what would be required for the negotiation of a multilateral treaty for cyber arms control. So in a strict sense, applying a bilateral framework of explanation against a possible multilateral problem set is problematical. The counter-argument to this is that in arms control, leadership can be shown by superpowers, with the prospect that smaller less consequential nations will follow the example of the superpowers. A second counter-argument is that this bilateral framework can be applied to any set of multi-lateral relationships. For example, one could apply it to US-Russia relations, then to US-China relations, then to Russia-China relations. So it probably is possible to apply it to multilateral relations, although that is not its original design intent.
Olav Njølstad, “The collapse of superpower détente, 1975-1980”, in Melyn P. Leffler and Odd Arne Westad, Eds., The Cambridge History of the Cold War, Vol. III Endings, Cambridge U. Press, 2010, pps. 135-155
Countries now have informal gangs of cyber warriors positioned to attack foreign countries. This appears to have happened a number of times. Reports indicate that after the president of Taiwan made a congratulatory telephone call to Mr. Trump, the 45th President elect of the United States, nationalists in mainland China launched a series of cyber attacks against facilities in Taiwan. Since there are so many Chinese in the mainland, and since Taiwan is so small in comparison, one can imagine the severity of the damage. Various news reports (The Diplomat, The Jamestown Foundation, Financial Times) indicate that the current Chinese government is “worried” about the ferocity of these cyber attacks.
In China, the fear is “cyber nationalism”, the spontaneous development of nationalist “armies” of hackers who attack foreign countries viewed as being antagonistic to China. Below we list various techniques identified as being associated with cyber nationalists.
Malicious Hacking. Attacks may take place against websites of a foreign government in an “enemy” country. Or attacks may take place against foreign newsmedia that publishes information not favorable to the hacker’s home country, its foreign policy, its domestic policy, its leadership, or its government. In general, “hacking” is a broad and less-than-specific term that may refer to a number of actions including (1) Denial of Service (DOS) attacks against a website, thus more or less making it impossible for people to find the website or use it; (2) Introduction of propaganda onto the target website; for example, instead of having its regular home page show up, a defaced home page will show up containing a negative message for readers; (3) Alteration of information on a website, either in a major or subtle way; (4) introducing malicious code onto the target website.
Social Media. A second tactic is to bombard social media with the intended political message. This can be of either the positive or negative variety. “Positive” refers to setting up social media locations, such as a Facebook page, that expresses a point of view compatible with that of the cyber nationalists. “Negative” refers to visiting social media pages of organizations or individuals who have an opposing (or targeted) point of view, and introducing (or bombarding the site with) harsh comments. There are a number of social media sites, but since Facebook is the world’s largest carrier of email, for all practical purposes, these social media wars take place on Facebook.
News Media. An increasing number of online news outlets invite comments on different news stories. Actually, this is a form of customer retention strategy. People will keep coming back to a website if they can “interact” with it. Sometimes these comments can be made anonymously; other times they require registration to identify the commentators. Online registration has a variety of levels of security and authenticity. In most cases, however, it is possible to register with only a reference email account, and email accounts themselves can be false. This makes it possible for trolls to be accredited anonymously, or to even register under more than one identity. These comments in the media can have a significant effect, one would suppose. (We need to take a look at more detailed social science and communications/media research to see if anyone has empirically measured the effects on public opinion and published the results in a scientific journal.) But for the time being, let’s assume these armies of commentators can have an effect.
China is not the only country with entrenched cyber nationalists. Russia is reported to have conducted “information warfare” in connection with its campaign in the Ukraine. (See “Cyber Threats and Russian Information Warfare” published by the Jewish Policy Center; or “Russia’s Information Warfare” published in Politico; or “Russian and the Menace of Unreality: How Vladimir Putin is revolutionizing information warfare” published in The Atlantic; or “Что такое информационная война?” [What is Information Warfare?] published in ВОПРОСИК; or “Информационная война: определения и базовые понятия” [Information warfare: definitions and basic concepts] published in PsyFactor; or “論中共「信息戰」之不對稱作戰” [The Asymmetric Operation/War of PRC’s Information Warfare] . )
And there is no reason to single out Russia or China only. Other countries do the same thing. For Israel, see “Information and Warfare: The Israeli Case” by Gideon Avidor and Russell W. Glenn. India established an “Information Warfare Agency” to counter messages from its dear friends in Pakistan. We can assume that every advanced country has developed an information warfare strategy, or at least is thinking about it. Some countries are better than others.
The essential problem of Cyber Nationalism is its informal nature. In cases like China, and reportedly Russia (which are the strongest examples), there is little if any connection between the government and the cyber nationalist movements. What we have is the spontaneous formation of nationalist cyber activists who are willing to cross over international borders and take cyber action in support of their country. In their heart, they are patriots, eager to defend the honor and reputation of their homeland as they see it.
It would be difficult and probably very controversial for any government to crack down on their private citizens because they were promoting their country overseas in cyberspace.
This means that in terms of an international treaty for control of cyber weapons, cyber nationalism would be problematical to include. It would mean that by acquiescing to an international agreement (treaty) nations would need to agree to crack down (arrest; prosecute; punish; fine) their own nationals when they engage in international cyber activism. Even if there were such an agreement, it would be very difficult to enforce from a practical point of view.
The Criminal Element of Cyber Activism. In the above list, we mentioned two general classes of cyber activism expressing cyber nationalism. In most cases, working on social media and making comments on newsmedia websites that themselves invite commentary would not be illegal, regardless of how outrageous or biased the comments. On the other hand, cyber vandalism (denial of service attacks; hacking of websites to change or distort the information there) is definitely illegal, and probably illegal in all countries.
Figure 1 Treaty coverage for cyber crimes connected with cyber nationalism.
We can conclude, therefore, that an international treaty might be able to tighten up the enforcement against criminal actions. Presumably, Country A would be willing to prosecute its citizens who performed recognized cyber crimes in Country B, if Country B was willing to prosecute its citizens who performed recognized cyber crimes in Country A. See Figure 1.
This type of agreement would be difficult to negotiate because the definition of cybercrime changes from one country to another. It would be easier to start with bilateral treaty negotiations, but more effective if a global treaty could be put in place.
cyberarmscontrolblog 