The Obama administration has issued four documents dealing with issues of cybersecurity. Two are concerned with protecting the United States against the many real and imagined forms of cyberattack, one announces an effort to establish protective norms of behavior among “like-minded” countries, and one accuses China and Russia of stealing economic information by cyberintrusion, making it evident that they are not included among the like-minded countries.
The documents feature basic principles and generally worded aspirations with very little specification of plausibly effective operational policy. At the level of computer code, there is a world of intricate operational detail to which the documents refer, and that level of detail is validly considered to be too abstruse and too sensitive for public discussion. Yet, in declaring that policy actions are required to deal with significant vulnerabilities that cannot be decisively removed, the documents implicitly reveal a prevailing judgment that robust protection of the many activities that now occur in cyberspace cannot be achieved by mastery of computer code or by any other technical means. The beginning of wisdom on the subject is realization that the issues in question are essentially unprecedented and for that reason very imperfectly understood.
The Basic Problem
As is well recognized, the basics of the situation arise from the spontaneous emergence of the Internet, which surely counts as one of history’s more remarkable events. The Internet itself is simply a set of protocols for transferring files between addresses assigned to individual computers. The transfer occurs without examining the content of the files and without identifying the persons involved. At the time the arrangement was formulated, the network to be created was expected to involve on the order of 100,000 computers worldwide, all of them mainframes. It was not imagined that the network would grow to encompass billions of individual computers, most of them substantially more capable than mainframes of the early 1970s, nor was it foreseen that the network would be able to exchange an exabyte (1018) of data daily as it currently is doing. The unanticipated Internet has become in effect a global utility vital to the operation of most institutions and to the daily lives of a substantial portion of the human population.
The consequences of that development have been enormously beneficial on balance but not entirely benign. The transfer protocols have enabled anonymous predators to operate with global reach and have created a constantly evolving problem of protecting legitimate services from exploitative or destructive intrusion. Up to this point, spontaneous actions to defend against predators have been sufficiently effective to support progressively extensive use of the Internet. There have been occasional instances of malicious software propagating to the extent of commanding global attention and similarly occasional episodes of prominent denial-of-service attacks, in which a Web site is deliberately overloaded.
There is, moreover, a constant daily barrage of limited but troublesome intrusions. Nearly everyone with an Internet connection has experienced some irritating episode. Nonetheless, many imaginable disasters have not occurred. Power grids have not collapsed, aircraft have not been diverted, nuclear reactors have not exploded, and the amount of fraud the financial system has suffered has not been sufficient to preclude the daily flow of money, stocks, and commodity trade running in the trillion-dollar range. It is conceivable that this experience reflects inherent limits on the level of Internet predation, but it also is possible that some catastrophe is incubating.
The fact that the possibility of catastrophe cannot be precluded with confidence gives policymakers a compelling reason to consider how the underlying risks might be minimized even if they cannot be entirely eliminated. That, however, has to be a judiciously limited aspiration. Not every conceivable disaster can be actively prevented. If there is to be a standard of protection more reliable than what individuals, organizations, and states can provide for themselves, it will have to be based on globally accepted priorities and would not include all concerns.
It is extremely unlikely, for example, that organized global protection would be extended to espionage in its many forms. The Internet has been a bonanza for intelligence agencies, marketing organizations, and all manner of busybodies. The practice of exploitation, as unauthorized access to information is commonly termed, is too widespread and too deeply entrenched to be included in any categorical restriction. Whoever exposes information to the Internet has to rely on whatever degree of protection he or she personally can devise or what commercial protective services can provide.
Similarly, military operations that selectively serve their own societies and threaten others would not qualify as a category eligible for protection. Military organizations will have to protect their use of the Internet as best they individually can. Nonetheless, globally organized protection might be extended to infrastructure that performs functions widely acknowledged to be vital to the legitimate operations of any society. Power grids, air traffic control systems, financial transaction clearing houses, emergency response teams, ship navigation systems, and hospitals are all plausible candidates frequently mentioned.
The Case of Power Grids
Among the candidates for status as a protected category, power grids loom as the most significant test case. They are yet more vital to the functions of society than the Internet itself, which depends on power to operate, and in principle, they are vulnerable to Internet predation. Power grid operations depend on computer codes that could be penetrated and maliciously altered. Doing so would require extraordinary sophistication and sustained effort that would itself be subject to exposure, but it is technically conceivable. The recent episode of the Stuxnet worm, apparently designed to attack Iranian gas centrifuges, gives pointed warning in that regard. Many organizations could do similar things, and if belligerent impulses are legitimized, some of them will.
If one admits that it could happen, then one has to admit the possibility of lengthy power outages extending over large areas. Informed opinion at the moment does not consider absolute protection to be feasible and concedes that significant trade-offs between exposure and operating efficiency keep the realized level of protection below its technical potential.
The consequences are necessarily speculative. Societies can adapt to intermittent power service and continue to support minimal needs, even if simultaneously burdened with ongoing civil conflict. Iraq would be a prime current example. No advanced society has encountered the complete termination of power grid service lasting weeks or months, however, and there are intuitive reasons to worry about social coherence in urban industrial areas under such a circumstance. Power grid disruption offers an apparent means of inflicting massive damage, and the opportunity to do so anonymously might be attractive to a terrorist organization dedicated to maximum social disruption or to a dissident state facing an inherently superior military establishment.
The most essential feature of any arrangement for organized global protection that aspires to be effective is a legally binding, categorical prohibition of destructive cyberattacks directed against power grids and other essential social services. That principle would have to be accompanied by monitoring and enforcement measures, but the viability of those measures would depend primarily on the degree to which the basic principle had been established. If a categorical prohibition were to be universally accepted, monitoring and enforcement measures could be devised that would provide a much higher standard of protection than currently prevails, but the defection of any major state would critically weaken the arrangement. Therefore, as a practical matter, China, Russia, and the United States would have to be committed and assertive participants, and that unavoidable fact significantly complicates the problem.
To accept a categorical prohibition, the United States would have to overcome its recent aversion to any legal rule that would restrict its freedom of action. In doing so, Washington would have to absorb the implication that attacks on power grids in particular are generally illegitimate. That implication would be resisted by advocates of coercive air power. Assaults on Iraq in 1991 during the Persian Gulf War and on Serbia during the crisis over Kosovo in 1999 featured attacks on power grids with conventional munitions. Prohibition of power grid attacks by cybermethods would not directly extend to attacks by kinetic means, but would implicitly undermine their legitimacy and therefore require judgments of the relative balance of interest in establishing the protective rule of law on one hand and exercising coercive force on the other.
Similarly, China and Russia would have to make relative balance-of-interest judgments regarding their reliance on cyberattack methods to compensate for inherent disadvantages in conventional force capability as well as their concerns about exposure through the Internet to external political influence and internal dissent. Any discussion of Internet protection will pit U.S. commitment to the free flow of information against Chinese and Russian concerns about maintaining political control. Those are fundamental matters for all three countries. On the other hand, all three should be able to recognize the devastating effect that an attack on their respective power grids would have. Notwithstanding their fundamental differences in other aspects of cybersecurity, they might be able to agree to certain stringent restrictions on that type of attack.
The real interest in mutual protection is strong enough in principle to motivate accommodation, but political systems of all varieties have difficulty with judgments of relative interest and will predictably attempt to construct any inconvenience as a categorical objection. As a practical matter, organized protection, for power grids especially but for other infrastructure assets as well, cannot be detached from the basic issues that determine fundamental security relationships. That is both an impediment and an opportunity.
The impediments to any significant policy innovation are substantial. Because there has not been an action-forcing incident that was too destructive to be ignored, there has been as yet no serious effort to organize global protection of vulnerable infrastructure. The major protagonists—China, Russia, and the United States—have suspected each other of clandestine intrusion, mostly in unofficial and indirect comment, and have alluded to the preparation of retaliatory measures, but have made no attempt to negotiate mutual restraint. That is a familiar story but not an excuse for general resignation. If national governments are too mired in traditional attitudes to organize a constructive initiative, then the societies they are supposed to serve have reason to explore the possibilities. To its credit, the U.S. government, in the recently issued policy documents, does encourage active public discussion, implicitly acknowledging that current and foreseeable operational practices do not ensure adequate protection.
The fundamental question is the concept of interest to be applied. Legacy security policies are based on a presumption of conflicting national interest, and they at least attempt to assure that national military forces can deter or repulse any assault on sovereign territory derived from fundamentally competing interests. National governments are reluctant to admit to any meaningful reliance on global legal rules for protecting their sovereign territory, but most of them are compelled to do so. Very few countries are capable of repulsing the attacks that could occur. The United States is the primary exception, but that exception has limited scope. Of all the countries in the world, the United States is the least vulnerable to a combined arms invasion, but it shares with all others vulnerability to remote destruction by nuclear bombardment and to terrorist intrusion.
Moreover, all governments are being subjected to a common threat of major proportions emerging from the process of global warming. However reluctant they may be at the moment to acknowledge that threat, it almost certainly will prove to be relentless and will predictably impose an imperative for coordinated action.
The underlying reality is that traditionally separate and mutually contentious national interests are being transcended and harmonized by a globalization process, embodied in the Internet. This situation has created a worldwide economy that must be collectively managed if it is to be managed at all. Under that circumstance, common interests can be expected to dominate, and equity rules can be expected to become far more important than national military power. Self-evident principles of equity are the primary means of establishing enforceable rules across separate sovereign jurisdictions. It may well take a generation or more for political attitudes to adjust, but gracefully or otherwise, that will have to happen.
The immediate implication is not only that common interest in critical infrastructure protection is strong enough to justify serious efforts to develop the idea, but also that there is some potential for such an effort to play a catalytic role in the ultimate reformulation of security policy generally. At the moment, the U.S. political system does not appear capable of undertaking any meaningful initiative on any subject, but one can presume or at least hope that its current paralysis will not be permanent. Even if a serious initiative on critical infrastructure protection might not be possible without the impetus of some specific misfortune, it is important to work out a basic design based on the principle that effective protection must be global in scope and therefore equitable in order to be effective.
The ingredients of such a design are reasonably apparent. A categorical prohibition of cyberattacks on critical infrastructure assets would have to be imposed by a universally ratified treaty if it is to be strong enough to be enforced. In addition, there would have to be institutionalized arrangements with global reach developing protocols for protection, actively monitoring illicit intrusion efforts, and prosecuting any party that attempts to violate the prohibition.
Protocols for protection would involve mandatory standards for the operators of infrastructure assets. For example, these operators might be required to register their operational codes and periodically to compare the current versions of those codes to the authenticated registry. The authenticated standards would have to be guarded with rigor comparable to, say, the protection of gold reserves or nuclear explosives, but high standards of protection are feasible if they are universally imposed. The problem arises when the costs of protection are pitted against operating efficiency in an unregulated market. In addition, the operations of at least some infrastructure assets, most notably power grids, would probably have to be disconnected from the general Internet to assure robust barriers to intrusion—a requirement that is feasible in principle but would need constant monitoring to accomplish in practice. Those provisions would not assure absolute protection, but they would establish a much higher standard than currently prevails or is currently projected.
As with many things in life, however, visualizing a rational outcome is much easier than accomplishing it, and in this case, that is especially true. The three principal protagonists whose active sponsorship of a global protection arrangement is essential—China, Russia, and the United States—have not been able to establish the presumptions on which meaningful security collaboration is necessarily based. As the enduring result of legacy policies, they remain locked in an active confrontation of their respective nuclear deterrent forces that defines the basic character of their security relationships even though they are usually polite enough not to mention it. The three governments cannot or, at any rate, will not discuss the Internet without entangling themselves in the disposition of nuclear weapons, the deployment of ballistic missile defenses, the balance of conventional forces, the regulation of space activities, the status of Taiwan, and many other contentious issues. Their respective societies, however, are less constrained than the governments; as a practical matter, they will have to carry the initial burden of initiative.
If there is to be organized global protection of Internet functions critical to daily life, those involved in the provision of services and those engaged in the social interactions the Internet has enabled will have to respond in a serious and sustained way to the call for public discussion.
Arms Control Implications
For the arms control community in particular, it is important to recognize the situation as an opportunity to pre-empt the perverse interaction that looms as an imminent danger. The policy document issued in July by the Department of Defense emphasized the development of defensive measures, but at the press conference releasing the public version of the document, Vice Chairman of the Joint Chiefs of Staff Gen. James Cartwright made it clear that he believed the U.S. approach would have to include offensive measures. British Foreign Secretary William Hague recently declared, “We will defend ourselves in every way we can, not only to deflect but to prevent attacks that we know are taking place.” To the extent that China and Russia perceive that the United States and its allies are preparing offensive operations, they are virtually certain to reciprocate, and all will predictably justify their effort by citing the others. That is a formula for a very destructive arms race driven by mutual suspicion as distinct from real national interest.
The situation is meaningfully reminiscent of the moment immediately after World War II when it was perhaps possible to establish international control over nuclear technology. The Acheson-Lilienthal report issued in the spring of 1946 recommended the formation of an international authority to regulate the entire cycle of uranium production and use in order to prevent application of the technology to the production of nuclear explosives and to promote nuclear power generation. The idea was transformed into the Baruch plan, featuring a veto-free UN voting rule that was categorically unacceptable to the Soviet Union. After the initial presentation of the plan and the Soviet statement of objection, neither the United States nor the Soviet Union made any effort to negotiate acceptable terms. Over the course of the ensuing two decades, massive deployments of nuclear weapons occurred. The world still is living with the consequences and still is struggling to impose adequate restraints.
One cannot know whether a more judicious and more sustained effort to establish international control might have succeeded in preventing or mitigating the Cold War confrontation. One can reasonably judge in retrospect, however, that the failure to make a sustained effort was an egregious error of statesmanship. It also should be acknowledged that ever since that moment, failures of statesmanship have been far more damaging to national and international security than any deficit in the deployment of destructive firepower.
The destructive potential of cyberattack methods certainly does not appear to be comparable to that of nuclear weapons unless there is some intrusion into the command procedures for controlling nuclear weapons. Nonetheless, even if one assumes that this possibility can be and has been reliably excluded, the potential for social disruption by cyberattack is massive, and the practice of the type of deterrence that is widely believed to have so far prevented the actual use of nuclear weapons is dramatically less reliable. Because the parties responsible for a cyberattack cannot always be reliably identified, the threat of retaliation is less credible and less effective.
It does not appear possible to control the capacity for cyberattack in the manner that capacity for nuclear explosives might have been controlled had the Acheson-Lilienthal recommendation been implemented. However, meaningful global protection can be provided if mutual protection has been established as the pre-eminent interest. It is important at least to attempt to establish that principle before it is vitiated by the development of antagonistic offensive programs. By now, the world should have learned that heading off a destructive process before it occurs is vastly more effective than trying to contain it after it has occurred. That makes the response to the call for public discussion of cybersecurity an urgent matter.
It is not appropriate for public discussion to ponder the details of computer code or the exact terms that might result from official negotiation, but it is vital for it to engage the fundamentals of interest and the operating principles derived from them. Those are matters that can be determined only by broad consensus and therefore require explicit and extensive discussion. The most fundamental of those questions has to do with the management of risk. As the financial crisis of 2008 and the Japanese reactor accidents in 2011 demonstrated, advanced societies are largely dependent on institutions whose narrow conception of interest makes them capable of ignoring evident societal risk that, as in those instances, could have been detected and should have been removed before calamity occurred.
The threat to the open Internet posed by cyberassault clandestinely prepared by major states is a risk of comparable proportions. Granted, it is not possible to reform or to eradicate all the hackers, criminals, and terrorists who prey on the Internet’s vulnerabilities. They are the equivalent of biological pathogens requiring the constantly evolving equivalent of immune system protection. The behavior of states is another matter, and that is where meaningful debate needs to focus. If states become dedicated predators using national protection as justification, then one can expect a classic tragedy of the commons to occur eventually: those who try to win a secret, destructive game predictably will ensure that everyone eventually loses, except perhaps those terrorists dedicated to massive social disruption for whatever reason.
If common interest in global protection is to prevail, it will need more assertive recognition and broader endorsement than has been achieved. Governments need to agree to the principle that protection of legitimate use of cyberspace dominates any interest in hostile exploitation and that there is no legitimate interest in destruction short of legally declared war. That principle has not been established and will assuredly need active discussion. The discussion can be expected to involve a struggle over what the term “realism” realistically means as proponents of national advantage proclaim inevitably looming battles to be won and attempt to marginalize defenders of the commons who warn that the more muscular approach constitutes delusional belligerence.
If the presumptive priority of protection were to be established to the point that it was capable of providing the foundation for global regulation, the demanding problem of setting boundaries on exploitation would arise, and that in turn would pose very demanding institutional questions. In technical terms, intrusion for purposes of exploitation has so much in common with intrusion for purposes of destruction that a categorical distinction is presumably unmanageable and prudent regulation is a necessity. National intelligence and law enforcement agencies have become deeply involved in Internet exploitation for what they consider to be compelling reasons; that poses the problem of balancing their interests against the requirements of global protection. These agencies are the equivalent of Tokyo Electric Power Company, the operator of the Japanese reactors—indispensable but not alone trustworthy.
The world currently lacks institutions capable of establishing and enforcing standards of global protection higher than those that market entrepreneurs and competitive security establishments generate on their own. Indeed, no one has defined or delimited the capacities these institutions would have to develop, nor has anyone determined the characteristics that would make them trustworthy. The global economy so far has flourished without those institutions, but it is foolish to think it can do so indefinitely. Governments will not develop those institutions and will not provide adequate protection until they encounter more insistent and better formulated demand to do so. ACT
John Steinbruner, who has been studying and writing about international security issues for more than 40 years, is professor of public policy at the School of Public Policy at the University of Maryland and director of the Center for International and Security Studies at Maryland. He chaired the National Academy of Sciences’ Committee on Deterring Cyberattacks. He is chairman of the board of the Arms Control Association. The views expressed in this article are those of the author.
1. The White House, “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure,” May 2009, www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf; Department of Defense, “Department of Defense Strategy for Operating in Cyberspace,” July 2011, www.defense.gov/news/d20110714cyber.pdf.
2. Executive Office of the President, “International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World,” May 2011, www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
3. Office of the National Counterintelligence Executive, “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011,” October 2011, www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf.
4. In September, China and Russia jointly submitted a letter to the UN General Assembly outlining a proposed International Code of Conduct for Information Security in apparent reaction to the Obama administration documents. The proposal is focused on their determination to preserve sovereign control of information flows and does not respond to U.S. concerns about Internet vulnerability. See Timothy Farnsworth, “China and Russia Submit Cyber Proposal,” Arms Control Today, November 2011.
7. “A Report on the International Control of Atomic Energy,” Department of State publication no. 2498, March 16, 1946, www.learnworld.com/ZNW/LWText.Acheson-Lilienthal.html. Undersecretary of State Dean Acheson chaired the Secretary of State’s Committee on Atomic Energy; the chairman of the committee’s consulting board was David Lilienthal, chairman of the Tennessee Valley Authority.