Learning from the Cyber International Relations Seminar

Learning from the Cyber International Relations Seminar

Since its inception in February 2009, through May 2010, the Cyber International Relations Seminar has held seventeen sessions with speakers, drawn from the United State government, academia and the private sector. These sessions focused on cyber attacks on the public and private sector, policies in response to these threats, international relations and strategic interactions in cyberspace. The sessions typically consisted of a 50 – 60 minute presentation by the speaker, followed by an hour of discussion with the audience on the topic. Since many in the audience, Harvard and MIT students, faculty and staff, were often acquainted with the topic, either from a technological or policy perspective, the discussions were stimulating for audience and speaker alike. Although technologists’ talking with policy analysts does not constitute interdisciplinary work, members of each group reported they had broadened their perspectives and increased their knowledge for their own work by coming to the seminars.[*] Somewhat similarly, several speakers commented privately on the pleasure of giving a talk to a knowledgeable audience.

What was learned? Here are some of the headlines and sub-headlines gathered across the talks:

·  Computer networks and hosts serving the US public and private sectors are under increasing attacks

o  Attacks range in sophistication from distributed denial of service to malware distribution for botnet creation or security breaches and exfiltration

o  Such attacks can enable cybercrime, industrial and political espionage, hostile military intents, such as preparation of the battlefield, and disruption of critical infrastructure, including energy, finance and telecommunications.

o  Perpetrators of correlated denial of service and more sophisticated attacks include cyber criminal groups, “hactivists,” and states’ intelligence services. The intelligence services may be sponsors of the hactivists or criminal groups for some attacks and the buyers of information obtained by the criminal groups in many cases.

·  The US public and private sectors are not adequately prepared and lack organizations and policies for effective response to these to attacks.

o  The US military, government and critical infrastructures heavily depend on privately owned computer networks, whose security is a belated concern for their managers.

o  The US military, government and critical infrastructures more heavily depend on these networks, than the attackers depend on their networks. There is consequently an asymmetry to the advantage of the attacker, since any retaliation by the target is more is less damaging to the attacker.

o  Attacks on computers and computer networks can be accomplished by physical means, e.g., introduction of malware through thumb drives (Brenner[1]), and in the supply chain (Peake), as well as through network vectors.

o  Several speakers proposed that most of the vulnerabilities could be reduced by the development of communities of good security practices (Brenner, Hallam-Baker) or an emphasis on knowledge management for resilience (Demchak), while others argued that a national cyber security strategy had to include development of more resistant technologies (Studeman, Hathaway)

o 

·  Speakers presented reasons that impeded the development of communities of practice at the enterprise and sector level.

o  Financial services and other enterprises are slow to publicize security breaches, because they fear the damage to their reputation would be more costly than the reduction of losses effected by new security practices implemented in the wake of the publicity (Hallam-Baker).

o  Insurance companies are unlikely drivers for better security in the private sector. Regardless of a firm’s security practices, an insurer is unlikely to write in a policy against cyber attack, because the cyber attacks tend to be correlated against many targets in the same region. Insurers could risk catastrophic losses (Bohme).

o  Cyber security companies are not likely to be the driver, because their own competitive practices, including clients dependent solely on them, reduces their effectiveness. Research has shown that security companies by sharing information about attacks among themselves, would together stop more attacks at their source than they their combined total of successes when they work alone (Moore).

·  The US decision makers have not fully developed policies, strategies and doctrines for use of defensive and offensive cyber weapons, although it a views cyber attacks as potential threats to national security.

o  Certain US peer rivals have more developed strategies and doctrines for use of cyber. In terms of doctrine, China’s military regards cyber attacks both as diversionary and a means to disrupt US military command and control systems thereby reducing the US’s overwhelming firepower advantage (Thomas). China also has deployed cyber tools for political and military espionage on an unprecedented scale, considering such activity acceptable state behavior and a means to catch up with Western rivals (Mulvenon) The brazenness in its sponsoring or harboring cyber espionage may reflect either China’s newness as a world power, the ascendency of a hard line on its cyber policy making or its failures at technological innovation.

o  Russia’s response to the challenge of cyber weapons is more inward looking and focused on “information security,” which includes preventing dissemination of information supporting terrorism, viz., Chechnya, or too critical of the regime. Motivated by fears of a Western advantage in the militarization of cyber space, Russia has also sought multi-lateral treaties to ban use of cyber weapons or to renounce first use (Markoff). Notwithstanding this normative stance, Russia coordinated or at least sanctioned DDoS attacks on Estonia, in 2007, and on Georgia, in 2008.

o  The development of US policies and strategies at the international level has been impeded, until very recently, by an exclusive focus on cybercrime and interstate coordination for its suppression. Though it had some success in getting other states to act against money laundering, the US is unlikely to get Russia and China to agree to broader measures against cybercrime (Lewis).

·  The US is now preparing to discuss at international forums norms for state behavior in cyberspace. Are there useful precedents or guides for the discussions?

o  Current international laws on the “right to war” and “rules of war” are not adequate to guide norms, policies and strategies at the global level, because international legal studies have not established equivalences between acts or situations in the kinetic world and in the virtual world (Goldsmith). Meeting that need is problematic. Unlike for other weaponry, there is great uncertainty about the consequences of cyber attacks, because of the interdependence of cyber systems (Lewis). So customary definitions and norms, e.g., proportionality of response, only military targets, might be impracticable in cyberspace (Goldsmith). [One framing of this problem is the question: “Where is the cyber blood?”]

o  The deterrence logics developed during the Cold War for nuclear weapons do not easily cover cyberspace, because of the proliferation of actors with cyber offensive capabilities – even if states were held responsible for attacks originating from their territories. Also threats of retaliation would probably not deter cyber espionage and similar activities, if the perpetrators believe their acts were adjusting a status quo that was unfair to them. In this matter, note the Chinese definition of threats to international information includes technological hegemony (Hurwitz)

o  More promising precedents would be the technocratic agreements and organizations for stabilizing certain global infrastructures, like the International Civil Aviation Organization, IMF, etc.

·  Some steps for securing cyberspace may draw on the resources and affordances of that domain itself.

o  Both expert monitoring and crowd sourcing by reporting on disruptions of information flows could help identify violations of any agreed upon norms and, perhaps, the violators. These capabilities would be analogous to the network of seismic sensors and monitors, created by technologists and scientists, which preceded and provided a basis for verifying nuclear test ban agreements.

o  Because the Internet can enable extensive political participation, it exerts pressures on states toward greater transparency and accountability in policy and decision-making (Noveck). One result of this dynamic might be state behavior that secures (stabilizes) rather than threatens (or militarizes) use of cyberspace.

o  However states differ in their views of what activities and information need to be controlled for security purposes, so agreement on a set of norms will be difficult (Lewis)

·  A meta-lesson of the seminar is the existence of at least three lenses for looking at cyberspace and international relations

o  The national security lens, through which most of the government speakers look, focuses on the threats to the US and other states’ security and welfare through various types of cyber attacks and exploitation. The challenges are to a) understand the present and potential threats and vulnerabilities; b) develop effective policies and strategies for responding to them, and c) resolving problems for realizing and implementing the policies and strategies.

o  The enterprise or globalization lens focuses on cyberspace as a supremely critical factor for economic activity at the local and global levels. Business enterprises are seen as primary actors in this space, with the major challenges being to their activities and resources, through cyber crime, cyber industrial espionage and cyber conflict at the state level. Responses to these threats at the enterprise level include incentivizing better security practices, security vendors’ sharing information to deliver more effective services, and more secure software. Responses imaged at the international level include a) harmonization of laws regarding censorship, privacy and criminal activity, and b) norms of state behavior for cyberspace to reduce interstate friction.

o  The global commons lens focuses on cyberspace as a medium, easily transcending national boundaries, for knowledge exchange, political participation, economic activities, cultural expression and new sociality. Major threats include censorship, political espionage, disruptive cyber conflicts and cyber crime. Imaged responses include technologies that can circumvent censorship and international networks of activists on behalf of cyber arms control.

Roger Hurwitz

May 20, 2010

Speaker / Affiliations / Sector / Issue / Date
Bill Studeman / DSB, Northrop Grumman / Public/ Private / Cyber Threats & Vulnerabilities / Spring, 2009
Stephen Goldsmith / Sandia National Labs / Government Research / Modeling Cyber Warfare / Spring, 2009
Philip Hallam-Baker / (formerly VeriSign), IETF / Private / Organized Cybercrime / Spring, 2009
Jack Goldsmith / Harvard Law School / Academia / International Law & Cyberspace / Spring, 2009
Timothy Thomas / Foreign Military Studies Office, US Army / Military Analysis / Russian & Chinese Strategies for Cyber war / Spring, 2009
Joel Brenner / Executive Director, National Counterintelligence / Government / Cyber Vulnerabilities & organization responses / Spring, 2009
Melissa Hathaway / DNI, EOP / Government / Strategies for National Cyber security / Spring, 2009
Denise Peak / NSA / Government / Securing the Cyber Supply Chain / Fall, 2009
Tyler Moore / Harvard Computer Science, WEIS / Academia / Economics of Cybercrime / Fall, 2009
Rainer Bohme / International Computer Science Institute / Academia / Economics of IT Insurance / Fall, 2009
Chris Demchak / US Naval War College / Military Analysis / Knowledge Management for Resilience / Fall, 2009
Michele Markoff / US Dept. of State / Government / US on Norms of Behavior in Cyberspace / Spring, 2010
James Lewis / Center for Strategic & International Studies / Public / Sovereignty & IR in Cyberspace / Spring, 2010
Roger Hurwitz & Jack Goldsmith / CSAIL, MIT & Harvard Law School / Academia / Cyber Deterrence / Spring, 2010
James Mulvenon / Defense Group, Inc. / Private / US-China Relation in Cyberspace / Spring, 2010
Ron Deibert / Citizens Lab, U. of Toronto / Academia / Militarization & Arms Control in Cyberspace / Spring, 2010
Beth Noveck / OSTP / Government / Open Government & Cyber Security / Spring, 2010
Michele Markoff / US Dept. of State / Government / US on Norms of Behavior in Cyberspace / Spring, 2010
James Lewis / Center for Strategic & International Studies / Public / Sovereignty & IR in Cyberspace / Spring, 2010
Roger Hurwitz & Jack Goldsmith / CSAIL, MIT & Harvard Law School / Academia / Cyber Deterrence / Spring, 2010
James Mulvenon / Defense Group, Inc. / Private / US-China Relation in Cyberspace / Spring, 2010
Ron Deibert / Citizens Lab, U. of Toronto / Academia / Militarization & Arms Control in Cyberspace / Spring, 2010
Beth Noveck / OSTP / Government / Open Government & Cyber Security / Spring, 2010

[*] These data are based on unsolicited remarks to Roger Hurwitz, the seminar organizer. There were no audience surveys or formal evaluations of the seminar. The data are probably a biased sample, since people feeling they had not gained from the seminar would likely not say that to Hurwitz, out of politeness. They would instead stop coming to the seminars, as did one senior ECIR investigator. Other indications that the seminar had only moderately contributed to ECIR’s mission include several other senior investigators and their students never attending the seminars. Hurwitz recommends that in the (unlikely) event that the seminar continues under ECIR auspices there should be a process of formal evaluation of the seminars by attendees and an effort to assure that ECIR investigators and students attend.

[1] This and following names in parentheses refer to speaker at the Cyber IR seminars.

A list of the speakers, their affiliations and issues discussed by them follows the text of this memo.