Cyberspace Cooperation

The group is co-chaired by retired Norwegian judge Stein Schjolberg and advocate Pavan Duggal of the Supreme Court of India – one of the leading experts on cyber law in Asia – and consists of experts from Norway, India, Russia, the United Kingdom, France, Switzerland, Sri Lanka, Italy, and Belgium. In a meeting held March 1-2 in Brussels, the group called for new progressive international legal frameworks, including the need for a global tribunal on cyberspace.

The objective of the EastWest Institute’s Cyber Crime Working Group is to propose a new set of harmonized legal frameworks to combat cyber crime through increased international cooperation. During an intense two-day discussion, participants agreed that, for the moment, new international legal frameworks should be focused on the regional rather than the global level.  Participants also pointed out that any new legal approaches alone will not be sufficient: rather, a much more integrative approach involving not only governments, but also the private sector, civil society, and non-government sector, is needed.

Regarding the new global tribunal on cyberspace, one of the main challenges will be establishing the legitimacy of such a tribunal. Currently, there is no international body with a mandate to deal with cyberspace complaints.  A new global tribunal would require the consent of all countries including the United States, which might prove difficult to obtain.

Preceding the establishment of such a court, state sovereignty—a concept that in the past has caused disagreements among major cyber nations such as the United States and Russia—would require extensive philosophical discussion, as one expert emphasized. Another expert stated that the new tribunal could derive its legitimacy from cooperating on non-politically sensitive issues that have a broad consensus among nations, like banning child pornography from the Internet.

Co-chairs Duggal and Schjolberg emphatically stated that this is only the beginning of a long process for achieving an agreement that reconciles and incorporates diverse legal viewpoints into comprehensive new legal frameworks. Simple questions such as “should new legal frameworks be based on common or civil law?” could be major stumbling blocks. For example, India chose not to join the European Convention on Cyber Crime because it would have introduced a completely alien legal framework into the Indian legislative process.

Participants also agreed that any new legal frameworks have to take into account the involvement of various stakeholders, especially in the private sector. As one participant pointed out, the reason why the European Convention on Cyber Crime is not as widely accepted is that the convention was composed without the involvement of the private sector. Involving civil society as a whole and non-governmental organizations also is deemed essential, especially considering education and training.

The clash of privacy rights and free speech advocacy with cybersecurity will also need to be studied carefully. For example, the European Union has already endorsed a proposal to create a European center to exchange information on inquiries made on child pornography cases. It is, however, not widely accepted due to privacy concerns.

Addressing child pornography, the group stressed the need to redefine the term “child pornography” to make a distinction between real children and virtual children. This attempt, as one expert pointed out, is a good starting point for private-public partnerships. For example, for Russia, this was the starting point in developing the first private-public partnership in the field of cybersecurity.

The cyber crime working group is scheduled to present preliminary findings during a briefing session at the Second Worldwide Cybersecurity Summit on June 1-2, 2011 in London and to deliver a final set of recommendations at the time of the Third Worldwide Cybersecurity Summit in Delhi, India in 2012.

CAMBRIDGE, MASSACHUSETTS — This year, the 47th Munich Security Conference included for the first time a special session on cybersecurity. “This may be the first time,” the president of a small European noted to the high-powered assembly, more accustomed to dealing with armies and alliances than with worms and denial-of-service attacks, “but it will not be the last.”

Until now, the issue of cybersecurity has largely been the domain of computer geeks. When the Internet was created 40 years ago, this small community was like a virtual village of people who knew each other, and they designed a system with little attention to security.

Even the commercial Web is only two decades old, but as British Foreign Secretary William Hague reminded the Munich conference: It has exploded from 16 million users in 1995 to more than 1.7 billion users today.

This burgeoning interdependence has created great opportunities and great vulnerabilities. Security experts wrestling with cyber-issues are at about the same stage in understanding the implications of this new technology as nuclear experts were in the early years after the first nuclear explosions.

The cyber-domain is a volatile manmade environment. As an advisory panel of defense scientists explained, “people built all the pieces,” but “the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well.”

Unlike atoms, human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off at the click of a mouse. It is cheaper and quicker to move electrons across the globe than to move large ships long distances through the friction of salt water. The costs of developing multiple carrier taskforces and submarine fleets create enormous barriers to entry and make it possible to speak of U.S. naval dominance. In contrast, the barriers to entry in the cyber-domain are so low that nonstate actors and small states can play significant roles at low levels of cost.

In my book, “The Future of Power,” I describe diffusion of power away from governments as one of the great power shifts in this century. Cyberspace is a perfect example of the broader trend. The largest powers are unlikely to be able to dominate this domain as much as they have others like sea, air or space.

While they have greater resources, they also have greater vulnerabilities, and at this stage, offense dominates defense in cyberspace. The United States, Russia, Britain, France and China have greater capacity than other state and nonstate actors, but it makes little sense to speak of dominance in cyberspace. If anything, dependence on complex cybersystems for support of military and economic activities creates vulnerabilities in large states that can be exploited.

There is much loose talk about “cyberwar.” But if we restrict the term to cyber-actions that have effects outside cyberspace that amplify or are equivalent to physical violence, we are only just beginning to see glimpses of cyberwar — for instance in the denial-of-service attacks that accompanied the conventional war in Georgia in 2008, or the recent sabotage of Iranian centrifuges by the Stuxnet worm.

If one treats most hacktivism as mostly a nuisance, there are four major categories of cyberthreats to national security, each with a different time horizon and with different (in principle) solutions: 1) cyberwar and 2) economic espionage, both largely associated with states, and 3) cybercrime and 4) cyberterrorism, mostly associated with nonstate actors.

For the United States, at the present time, the highest costs come from the espionage and crime, but over the next decade or so, war and terrorism may become greater threats.

Moreover, as alliances and tactics evolve among different actors, the categories may increasingly overlap. As the former director of National Intelligence, Mike McConnell, said, “Sooner or later, terror groups will achieve cyber-sophistication. It’s like nuclear proliferation, only far easier.”

At this stage, however, according to President Obama’s 2009 cyber-review, theft of intellectual property by other states (and corporations) is the highest immediate cost. Not only does it result in current economic losses, but by destroying competitive advantage, it jeopardizes future hard power.

Security experts are far from certain what terms such as “offense, defense, deterrence, or the laws of war” mean in the cyber-realm. We are only at the early stages of developing a strategy. And public understanding lags even further behind. That is why this year is likely to be just the beginning of many discussions like the one at the Munich security conference.

Joseph S. Nye Jr. is a professor at Harvard and the author, most recently, of “The Future of Power.”

Click here to read Nye's article in the International Herald Tribune

“The EastWest Institute sees this report as part of our larger effort to help overcome the trust deficit between China and the United States on cybersecurity,” said Rauscher. At the end of Chinese President Hu Jintao’s visit to Washington last month, the U.S.-China Joint Statement called on the two countries to address cybersecurity issues.

Rauscher co-led the bilateral with Yonglin Zhou, Director, Network Security Committee of the Internet Society of China. Fighting Spam to Build Trust will present voluntary best practices for reducing spam which, according to MAAWG, accounts for about 90 per cent of email traffic.

According to Rauscher, the experts chose to target spam in part because China has made great strides in reducing spam in recent years – a notable achievement given the rapid growth of Internet users in the country.  Rauscher said that the report will emphasize a leadership role for the private sector in both countries. The recommendations for combating spam will include: processes for creating international protocols aimed to differentiate legitimate messages from spam; a call for educating consumers about the risk of botnets; and measures for discouraging spam, such as encouraging ISPs in both countries to use feedback loops.

“This cooperative effort will not end with this report,” said Zhou. “Rather, it is a part of an ongoing process between Chinese and United States experts to open dialogue and foster mutual understanding.”

Michael O’Reirdan, MAAWG Chairman and Distinguished Engineer at Comcast said, “This dialogue with China is a most welcomed breakthrough – a real step forward.  It comes at an opportune time and can build on the work that has been going on at MAAWG for several years.” MAAWG works against spam and online exploitation, representing over one billion mailboxes worldwide. 

EWI President and Founder John E. Mroz added: “The United States and China face large moral and political dilemmas in cooperating on cybersecurity. Do we continue to see each other as enemies or rivals, or do we edge slowly forward trying to find common ground?  We know that the economic and personal security of our citizens depends on a quantum leap in cooperation and an end to the rapidly escalating cyber mistrust.”

Multilateral efforts to fight spam will be one of the topics discussed at EWI’s upcoming Second Worldwide Cybersecurity Summit, to be held in London June 1-2. To register, visit: http://www.cybersummit2011.com/

Many people heaved a sigh of relief when United States Secretary of State, Hillary Clinton, cited to CNN on 12 January 2011 a statement of the outgoing head of Israeli intelligence that a “combination of sanctions and covert actions have significantly slowed down the Iranian [nuclear] program”. This appeared to take the much vaunted (possible) military strike by Israel and/or the United States off the table as a near term risk. Yet, the covert action has not eased tension in the strategic confrontation. Risks of escalation have increased.

There were probably several elements to the covert action. The most well known is that sometime before September 2010, a country or countries unknown attacked Iran’s uranium enrichment systems using a cyber “weapon” (Stuxnet) that rendered up to 30 percent of the centrifuges unusable.

The cyber attack was an act of sabotage across state borders and therefore it was – prima facie – a breach of international law. Even if this were a declared war, Iran would have the right of retaliation for self-defense under international law if it could determine which state actor or actors were involved in the attack. This right is not diminished because of the sanctions resolutions of the UN Security Council.

Those states which oppose Iran’s nuclear program could hardly argue that a military attack by Iran against them was imminent, thus giving them a right, based on the principle of their own self-defense, to attack Iran’s nuclear infrastructure. (The assumed position of the perpetrator state or states would be that the attack was a justifiable act since Iran cannot be trusted to keep nuclear weapons – if it had them – out of the hands of terrorists.)

In January 2010, Hillary Clinton, laid out her country’s position on the unlawfulness of cyber attacks: “Countries or individuals that engage in cyber-attacks should face consequences and international condemnation," she said.

So who will punish the perpetrator(s) of the cyber attack on Iran? What actions of cyber self-defense by Iran would be permissible under international law? Retaliation is a time honored convention and recognized as lawful in certain circumstances under customary international law. There is considerable debate about what form retaliation might take, but proportionality is one of the main considerations. There are other considerations, such as absence of recourse to other measures, last resort and, where it applies, “hot pursuit” of the attackers.

Law aside, it is not unreasonable to imagine that some in the Iranian government are arguing for a cyber retaliation. According to some sources, Iran’s cyber warfare capability is in the hands of the Revolutionary Guards. Will Iran retaliate? What form might a cyber response take? If there was retaliation, it could represent an escalation of cyber conflict, and possibly provoke military clashes between Iran and the assumed perpetrator(s).

At the least, this widely-publicized offensive use of the “Stuxnet” cyber weapon may represent a turning point – is the “genie out of the bottle”? Does the use of stuxnet herald a period of uncontrolled tit-for-tat offensive cyber strikes for sabotage and economic disruption in an environment where there are no common international understandings for regulating cyber conflict. This is no longer simply a debate about a gap in international law that needs to be addressed to control conflicts that might arise. Offensive cyber operations are already occurring and on a large scale.

Iran is developing cyber warfare capability, like other major powers. Is its capability good enough to mount a damaging cyber strike in response to the Stuxnet attack? The answer according to some sources is yes. We can only hope that Iran’s leaders lead by example here, exercise restraint and disavow a cyber retaliation, or any retaliation for that matter.

Click here to read Austin's piece online

EWI releases report by Russian and American experts on the “rules of the road” for cyber conflict, examining how the principles of the Geneva and Hague Conventions can be applied to cyberspace. The report caused a lot of interest in the media and among bloggers; here is a selection of stories published so far.

• BBC Newsnight Exclusive
• BBC report, featuring EWI Director Melissa Hathaway
• BBC coverage of cyber hackers
• BBC Digital Planet podcasts on Russia-U.S. report on Cyber Conflict 
• BBC coverage on cyber war
• Wall Street Journal
• MSNBC
• Daily Telegraph
• The Register
• V3
• CIO
• ZDnet UK
• PC World
• ComputerWorld UK
• Computer Weekly
• Forbes
• Federal News Radio
• Rossijskaya Gazeta (in Russian)
• Nezavissimaya Gazeta (in Russian)
• Digital Journal
• IT Pro
• InfoSecurity
• Information Age
• Tech Eye
• Red Orbit
• Spinport News
• ZDnet Australia
• UK Fast
• RM Professional
• CrunchGeer
• Security News Daily
• PublicTechnology.net
• Secure Computing
• IISS
• Tech News Review
• Fierce Government
• Israel National News
• PressTV
• The National
• Internet Security

"EastWest Institute’s cyber security team is building private-public partnerships to protect the undersea fibre optic cables that carry intercontinental financial Internet traffic, developing policies to assure international priority communications and facilitating bilateral processes to create ‘Rules of the Road’ for cyber conflict", writes Brian Sims on Info4Security.

"Every man, or nation, for themselves might be the best mantra for cybersecurity," writes James Carafano in his review of "Protecting the Digital Economy."

"It could take years to arrive at a global treaty on cybersecurity, since many states are not ready for it – and perhaps never will be", Infosecurity reports on

EWI's "Protecting the Digital Economy"

.

An article on nextgov.com, a blog on governmental technology and business, discusses an EastWest Institute study on the challenges of an international treaty to establish regulations for computer security.