Cyberspace Cooperation

“Countries that share the same societal values of freedom of expression and speech need to come together in cyberspace,” said Indian Minister of Communications and Information Technology Kapil Sibal.

Sibal spoke during a press conference hosted by the EastWest Institute and its Indian partners the Federation of Indian Chambers of Commerce and Industry (FICCI) and National Association of Software and Services Companies (NASSCOM). Its purpose was to launch the New Delhi Summit Process and announce the Third Worldwide Cybersecurity Summit to be held in New Delhi next year.

“It is essential to have government-to-government collaboration, especially in the field of information sharing on cyber attacks and cyber crime,” Sibal said.

India–U.S. cooperation on cybersecurity has only deepened over the past year. One good example of that progress is the memorandum of understanding on cybersecurity information sharing signed by Indian Secretary of the Departments of Telecommunications and Information Technology R. Chandrashekhar and the U.S. Department of Homeland Security in July 2011.

EWI Co-Chairman Ross Perot, Jr., said government cooperation is only half of the story, pointing out that private-public partnerships that share sensitive information across sectors also play a key role in protecting cyberspace. “So far, private-public partnerships have focused primarily on domestic markets with often limited success due to too many ineffective initiatives and too little trust between the government and the private sector. Instead, these partnerships need to expand across borders,” Perot said.

During the EastWest Institute press conference, IT Secretary Chandrashekhar argued that in cyberspace, “there is no Track I or Track II diplomacy. We are all on the same track, and we have to work together.”

Indian officials have ample reason to emphasize world collaboration on these issues. As a developing country, India is just as exposed to threats from cyberspace as the developed world. In fact, as both Minister Sibal and Secretary Chandrashekhar stated, the subcontinent might be more vulnerable to cyber attacks because their consequences could be more devastating than in Western countries.

“Cyberspace is the lifeline of economic and social development in India,” Chandrashekhar said. Minister Sibal supported this assertion, arguing, “The developing world has a great opportunity to leapfrog to the digitalized world, especially in finance, administration, and communications. Because of that, however, we need security solutions more than ever. Any new cyber threat can disrupt the leapfrogging and our fragile process of development.”

The Indian Parliament recently passed legislation to switch the government to paperless communication and administration over 25 years. Cyber threats, however, are on the rise on the subcontinent. For example, according to the Norton Cybercrime Report, nearly 30 million people in India fell victim to cyber crime in 2010, with a total financial loss of USD 4 billion. India now also ranks as one of the top five contributors to spam. Since spam often carries malicious code that can help penetrate or damage systems, these emails are more than just a nuisance; they are a real threat to commerce and India’s businesses.

Another threat is the protection and repair of undersea cables in India’s territorial waters, which carry 99 percent of transcontinental financial transactions and data between India and other parts of the world. All of India’s major Internet and telecommunication service providers are connected to overseas telecommunications systems through these international gateways. India has multiple undersea cables—lSTM 2, 3, 4, Safe, falcon flag, and i2i.

International information flow depends on the safety and security of these cables. Disruptions have occurred in the past due to accidents caused by the movements of ships, and due to natural disasters. Cable cuts are problematic, since single points of failure in the undersea cable system can cause severe disruption to the outsourcing industry in India.

To counter some of these threats, Minister Sibal outlined India’s near term agenda for cybersecurity. First, India will aggressively pursue means to foster better collaboration on cybersecurity with like-minded countries. Second, India actively will promote a discussion on a global vision of cybersecurity, which does not yet exist. Third, there will need to be increased discussion of a new local, regional and global legal framework to better combat cyber crime. Finally, India is searching for the means to acquire a faster and more advanced global crisis response mechanism to cyber threats.

The EastWest Institute is actively supporting the Indian government in these endeavors. The Institute first raised the matter of cybersecurity in India nearly two years ago in a meeting with National Security Advisor Shiv Shankar Menon, which was followed by meetings with various other government officials and private sector leaders.

The launch of the New Delhi Summit Process is the result of these discussions. This process will address new actions for international cooperation on cybersecurity in three new fields: supply chain integrity, managing the shift to “cloud” and other globally deployed services in cyberspace, and payload security. The Institute will explore these critical issues with its Indian partners—FICCI, NASSCOM and the Data Security Council of India (DSCI).

As John Edwin Mroz, President of the EastWest Institute, stated during the press conference, “We need to keep racing to stay abreast of the implications of change driven by new technologies, and the agenda grows by the day. Our initiative is meant to spur awareness and help rally the Indian business, media and policy communities to help make a difference in protecting cyberspace.”

Minister Sibal concluded his remarks, emphasizing, “In cyberspace, we are not dealing any more with your problem or my problem. It is our problem. India must take a leadership role in convincing other nations that this is the case. The launch of the New Delhi Summit Process is an important milestone in forging all stakeholders together.”

The United States and India are engaged in an unprecedented level of collaboration and joint innovation in cyberspace. As our two economies grow more intertwined in the information age, so do our vulnerabilities. Today, adversaries in cyberspace no longer have to reach one nation’s shores to strike the other. They can strike computer networks in Hyderabad by penetrating those located in Houston, and vice versa. This means India’s ability to fend off cyber attacks is critical to the United States’ economic and national security—just as the United States’ ability to protect our information networks is critical to India’s security. The threat to both our countries is growing.

Read the full article at Mint.

The EastWest Institute's 8th annual Worldwide Security Conference (WSC8) took place on October 3-4, 2011. The conference, sponsored by the French G8 Presidency, brought together leading policymakers for two days of networking, debate and exclusive private consultations on a range of new security challenges, from the new political landscape in the Arab world to a growing number of attacks in cyberspace. Here is an overview of WSC8 media coverage.

> PC World
> New Europe
> The News (Pakistan)
> Kuwait News Agency
> ARN
> Kashmir Watch
> TechWorld
> CIO
> CFO World
> PC World
> CSO Online
> Infosec Island
> IT World
> ComputerWorld (Japan)
> IGT (Russia)
> RT.KORR (Russia)
> inoSMI (Russia)

Experts from the United States, Russia, China  and other countries advanced ongoing efforts to develop recommendations for areas of potential cooperation to protect critical infrastructure.

Today, America is most certainly engaged in what amounts to a cyber “cold war.” We face a daily barrage of low-level “tactical” strikes in which foreign adversaries attack our computer networks, often using proxies in cyberspace — much as the United States and the Soviet Union engaged in low-level combat using proxies in Africa and Latin America during the Cold War of the 20th century. In some cases, these attacks escalate into what our military calls operational-level engagements — decisive attacks or incidents that gain front-page attention in the news (such as the Stuxnet virus that attacked Iran’s nuclear program) but do not significantly alter the daily lives of Americans.

The real danger is the prospect that an enemy could one day launch a strategic-level attack in cyberspace — one that causes large-scale death, destruction, damage, disruption or devastating economic loss for our country. A sophisticated cyberattack targeting our power grid, telecommunications, banking or transportation systems that could one day cause damage was once the province of conventional weapons. Such a strategic attack could prompt the president to order retaliatory action — turning today’s cyber “cold war” into a hot war.

Such a strategic attack in cyberspace has not yet occurred — and preventing one should be the top priority of our nation’s cyberdefense policy. We can do so the same way we ensured that the Soviet Union never used its massive nuclear arsenal to cause catastrophic damage to our country: by establishing an effective framework for deterrence. 

During the Cold War, the U.S. built a “strategic triad” of land, sea and airborne nuclear weapons that deterred a Soviet attack using weapons of mass destruction. In the digital age, we need a cybersecurity triad to deter attacks on our information networks using weapons of mass disruption. 

The first leg of this new triad is resilience. During the Cold War, our adversaries knew that a nuclear first strike was futile, because if they hit our land-based missiles, we still had missiles at sea and in the air with which to retaliate. We must build similar resilience into our information systems so adversaries know they cannot cripple the U.S. economy or military. If our networks are resilient and terrorists or other adversaries find they can cause no devastating negative impact, that is a deterrent in itself.

The second leg of the new cybersecurity triad is recognition. One of the reasons cyberattacks are so attractive today is that it is extremely difficult to identify the ultimate source of the attack. We need to improve our ability to trace cyberattacks and identify the culprits. If foreign enemies can attack our information networks without fingerprints, they can attack without consequences, and that means they cannot be deterred. 

The third leg is retaliation. Our enemies must know that America can launch counterstrikes in cyberspace that can cripple their information networks if they dare to threaten ours. Unfortunately, as Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, recently explained, we are currently devoting nearly 90 percent of our attention toward building better firewalls and only 10 percent on retaliatory capabilities. Gen. Cartwright said a better strategy would be the reverse.

Moreover, our enemies must understand that America cannot limit its response to cyberspace. Cyberspace is a domain, just like land, sea, air and space. Today, if the United States is attacked at sea, our military does not limit itself to retaliating at sea. We reserve the right to reply in other domains. The same is now true of an attack in cyberspace. If we can trace the source of a cyberattack to a cave in the Hindu Kush mountains, America’s response could come in the form of a hellfire missile.

At the start of the nuclear age, the United States developed the doctrine and capabilities that successfully deterred the USSR from using its nuclear arsenal against us. Now, at the start of the cyberspace age, we must develop the doctrine and capabilities to deter would-be attackers from wreaking destruction or disruption on our country from cyberspace.

Raduege is a retired lieutenant general of the Air Force and former co-chairman of the Commission on Cyber Security for the 44th Presidency. He is currently a senior counselor of The Cohen Group and chairman of the Deloitte Center for Cyber Innovation.

Click here to read Raduege's piece in The Hill

William W. Watt once remarked, "Do not put your faith in what statistics say until you have carefully considered what they do not say." In examining the statistical outpouring of data on cyber crime, one should pay special attention to what those statistics do not say. The recently published report, Second Annual Cost of Cyber Crime Study, by the Poneman Institute, a U.S. based information security policy research center, is another good case in point. The report states that "over the past year, the median cost of cyber crime increased by 56 percent and now costs companies an average of $6 million per year." This statistic was compiled using a self-report survey of 50 U.S. based businesses.

The reason businesses routinely under-report incidents of cyber crime is that most information on cyber crime losses are derived from surveys; that is, statisticians merely send questionnaires to companies and hope they are answered in good faith. Businesses have vested self-interests in under-reporting incidents since they either do not want to lose consumer confidence or be held accountable by shareholders or boards. Consequently, the data we collect from such surveys has very low predictive power and cannot serve as a basis for informed policy formulation.

What most people do not realize is that cyber criminals do not have to be too sophisticated to inflict major damage. Cheap malware that can be purchased online often suffices. The real danger to a country's economy arises from advanced persistent threats (APTs) -- highly sophisticated and long-planned intrusions often executed with state sponsorship. Jeffrey Carr, a U.S. based cyber security expert, recently stated that the biggest threat is the theft of intellectual property in high-value technology and energy assets. Here too under-reporting is endemic.

One report claims that U.S. intellectual property theft -- an APT -- costs 750,000 jobs annually, much of which is conducted via cyber space. The validity of this number, however, is questionable since many APT attacks either are not detected or are kept secret for many years. Most companies do not even know that they are under attack, and if they do know, companies are not willing to share data because we lack a trusted identity to collect it.

There are dozens of public- and private-led cyber security data distribution forums in existence already, but the number, scope, and diversity makes for a complex environment where sharing information is very difficult. What is needed is the equivalent to the U.S. Center for Disease Control and Prevention, an umbrella organization coordinating the different activities of forums and which could conduct broad analysis into cyber space. In the United States the National Security Telecommunication Advisory Committee provides a good model for sharing and normalizing threat data that could be generalized to various initiatives from defense, finance, or information-based industries.

Such a new umbrella organization could induce private sector companies to voluntarily provide at least a modicum of raw statistical data about their performance. For example, the data breach reports should be "anonymized," which will, from a business perspective, facilitate sharing. With this minimal data, rudimentary statistics could be compiled and common responses developed. The main focus here should be on data treatment and distribution. Data must be usable and accurate enough to enable action and suppress vulnerabilities in companies.

The significant disconnect within many corporations, where internal security experts are unable to justify increased security methods or spending due to a lack of measured information, presents a grave danger to the well-being of our global economy. Having trusted measures and performance benchmarks will significantly reduce this information gap between security and executive leadership in organizations. It will help formulate more cost effective defense strategies against cyber crime. Better detection rates of attacks, faster responses to incidents, and sounder policy formulations will make companies more secure and consequently more competitive in the global market. As Gordon Gekko stated in Wall Street: "The most valuable commodity I know of is information." This has never been truer than in the age of cyber space.

Click here to read Gady's piece on the Huffington Post

Lt. General (ret.) Harry D. Raduege, Jr. of Deloitte, and also a member of EWI's President's Advisory Group, discusses the Department of Defense Strategy for Operating in Cyberspace on AOL Government.  Raduege notes that while there are significant challenges ahead, the formal creation of a document on cyber strategy is an important milestone for cybersecurity.

EWI provided advice on how countries can work together to protect cyberspace – a formidable challenge, given that a cohesive cyber policy in the U.S. alone is a work in progress, with over a dozen draft cybersecurity bills circulating Congress.

“The conversation among nations is still in its nascent stages,” said the U.S. National Security Council’s former Acting Senior Director for Cyberspace Melissa Hathaway. Hathaway is now a member of the EastWest Institute’s Board of Directors.

EWI’s Second Worldwide Cybersecurity Summit, held June 1-2 in London, was a useful model for international collaboration, according to Hathaway, who spoke along with EWI President John Mroz, Lt. General (Ret.) Harry D. Raduege, Jr., Chairman of the Deloitte Center for Cyber Innovation, and EWI Chief Technology Officer Karl Rauscher.

At the summit, more than 450 public and private-sector delegates from 43 countries worked towards practical steps for everything from fighting cyber crime to ensuring that emergency messages can traverse congested telecommunications networks.

“What encourages me is that we had senior representatives from governments and corporations,” said Raduege, adding that networking and information-sharing are vital. Raduege is a member of the EastWest Institute’s President’s Advisory Group.

The experts also emphasized the importance of private-public partnerships or, as Hathaway put it, conversation between the “geeks” (technical experts) and the “wonks” (policy leaders). The private sector should lead cybersecurity efforts, according to Rauscher, particularly when it comes to ensuring that digital hardware and software are not infected.

“The commitments of governments that they will make procurements based on better reliability and security will make a difference,” said Rauscher.

McCaul asked the experts to speak about the potential for a treaty on cyber warfare.

Mroz and Raduege both said that the first step to international agreements are bilateral and multilateral dialogues on specific cybersecurity threats. Earlier this year, EWI-led U.S.-Russia talks on “rules of the road” for cyber conflict produced an attention-getting report at the 2011 Munich Security Conference, and a team of U.S. and Chinese experts published joint recommendations on reducing spam.

Mroz cautioned, “If you’re waiting for a big treaty, it may be too late.”

After a fairly auspicious start to 2011, relations between the United States and China have soured once again over the issue of cybersecurity.

Google’s assertion earlier this month that hackers located in China had been seeking to steal the passwords of hundreds of Gmail account users, including those of senior U.S. officials and Chinese political dissidents, sparked the predictable denials and counter-accusations from Beijing.  The fact that the U.S. Federal Bureau of Investigation (FBI) is looking into the allegations lends an additional air of seriousness to the spat, as do the recent statements on the issue by the U.S. secretaries of State and Defense and senior Chinese government spokesmen.

In U.S.-China relations, each decade seems to have its own thorny issue that rises above the others and defines the relationship to a disproportionate degree.  In the 1990s, human rights was the major issue of concern (from the U.S. vantage, at least).  In the first decade after the turn of the millennium, in the wake of China’s accession into the World Trade Organization, trade became the predominant source of friction.  Recent developments suggest that cybersecurity is going to be the U.S.-China issue of this decade – and it just might make the other issues look easy by comparison.

The very term “cybersecurity” embraces a number of different dimensions.  Breaches of cybersecurity can range from mere technical glitches; to willful cybermisfeasance – relatively minor acts of cyber-mischief; to cybercrime, such as acts of theft or fraud; to cyberespionage (both commercial and political-military) – the illicit seeking of sensitive economic or national security information of another country; to cyberterrorism and even full-fledged cyberwarfare – violent acts of non-state and state actors, respectively, targeting civilian and critical national assets.

One of the dynamics that tends to complicate U.S.-China relations around the issue of cybersecurity is the propensity of U.S. journalists, and even some experts, to characterize actions that fall within the first several categories of activity noted above, and that were likely perpetrated by private individuals (with no or, in any case, varying degrees of coordination with the central government), as “cyberwarfare.”  Like a number of other observers, I believe the utilization of the term “cyberwarfare” by U.S. writers in these lesser contexts is misleading and unhelpful.  As I have often said, if we were ever in a state of true cyberwarfare with China (or any other major cyber power, for that matter), we’d certainly know it – and frankly, it would probably be the least of our problems at that point.  (I cannot easily envision a scenario in which two nations would be in a full-on cyberwar with each other that would not almost instantly become a full-fledged, total war between them.)  The tendency in the United States to cast cyber tensions between the United States and China as manifesting a state of “cyberwar” between the two countries reinforces a general sense, among average Americans, that China is somehow the “enemy.”  In turn, China’s invariably shrill responses to charges like those Google recently made only serve to perpetuate the old rhetorical cycle.

I am convinced that somewhere in a newsroom tonight, there is a China affairs or foreign affairs reporter who is already writing the news copy for the next iteration of this story; I doubt he or she will have to edit the piece much when the actual events occur some weeks or months from now.  The script is pretty predictable.

Of course, rhetoric is by no means the only aspect of the problem.  At the core of U.S.-China cyber tensions is a simple truth:  the two countries, like virtually all countries, spy on each other, including via cyber means.  As outgoing U.S. Defense Secretary (and former CIA director) Robert Gates himself testified before the U.S. Senate earlier this month:  “Most governments lie to each other.  …[S]ometimes they send people to spy on us, and they’re our close allies.”  If that’s true amongst our “close allies,” then it’s certainly true of countries whose basic ideologies are so antithetical and whose political systems are so profoundly different. 

The United States and China will continue to probe each other’s cyber capabilities and defenses for many years to come.  That should surprise no one.  Still, what is needed is a more substantive and open dialogue between the two governments about cybersecurity.

In sharp contrast to the cases of human rights in the 1990s and trade and economic issues in the 2000s, in which – despite the sharp divergence in perspectives on the issues – there was intensive engagement between the two governments on a nearly daily basis, there is as yet relatively little concrete and sustained engagement between the United States and China on cybersecurity.  Indeed, cybersecurity was added to the agenda of the all-encompassing Strategic and Economic Dialogue (S&ED) discussions between the two governments only this year.  I was glad to see this development; in a March 2010 op-ed in the Dallas Morning News, I was the first voice in the U.S. media to call for cybersecurity to be added to the S&ED agenda.

The EastWest Institute, a New York-based foreign policy think tank specializing in track 2 diplomacy, has made a concerted and fruitful effort to address the “dialogue deficit” between the United States and China on cybersecurity.  We invited senior Chinese officials to address our Worldwide Cybersecurity Summits in Dallas in 2010 and London in 2011 and invited Chinese internet experts, from both the public and private sectors, to play an active, and indeed integral, role in our multilateral efforts to establish international rules of the road in the cybersecurity domain.  The EastWest Institute also brought together top-level U.S. and Chinese experts to explore what the two countries could do, on a voluntary basis, to combat the dissemination of spam – and in the process, helped produce the first U.S.-China consensus set of recommendations on a cybersecurity topic. This is a strong foundation on which further cooperation can be built.

The fact is, the cybersecurity challenges we face today are global in nature; they require international collaboration. Both the United States and China, as two of the preeminent cyber powers in the world today, need to be at the table.

As posited above, the news story about the next U.S.-China cyber flap has probably already been written; it’s old news before it has even occurred. Perhaps it’s time to write the next chapter in this important story.

David J. Firestein is vice president of the EastWest Institute.  A former U.S. diplomat, he is the author of three books on China, including two China-published best-sellers.