Both China and the United States have a vested interest in de-escalating tensions in cyberspace. In the post-Snowden world, the United States has lost its self-conferred leadership role in promoting global Internet freedom, whereas China is seen as recklessly expanding its cyber espionage activities.  Within only a year the fluctuant pendulum of world opinion has decisively swung back and forth between the two nations until finally reaching equilibrium that may be interpreted as a “cyber stalemate”. 

The public outcry after the revelations of the 2013 Mandiant Report with its exposure of the Chinese military unit labeled “Advanced Persistent Threat 1,” and its alleged cyber espionage activities, yielded, based on the disclosures of Edward Snowden, to privacy fears of an all-intrusive NSA in the last few months. However, rather than perceiving it as a serious setback, the current cyber stalemate between the United States and the People’s Republic of China should be seized by political leaders in both countries as an urgent incentive to push for cooperation and strategic stability in cyberspace. In that respect the United States has recently taken the lead. 

The Obama administration’s briefing for the Chinese military leadership on the US military doctrine for defending against cyber attacks was an unprecedented step towards strategic stability in cyberspace. The US military is envisioning to spend USD 26 billion in the next five years on protecting its networks from intrusions, but also to continue to develop offensive cyber weapons. This naturally leads to uneasiness in the technologically inferior PLA as well as among the Chinese political leadership, which threatens to further destabilize an already precarious relationship. While the Pentagon is disappointed that the Chinese have so far not reciprocated its openness, indications from the briefing suggest that the U.S. military has finally come around to actively seek strategic stability in cyberspace through some form of cyber deterrence. 

One way to increase the deterrence factor vis-à-vis adversaries is to have a more systematic public display of nation states' cyber war capabilities. In the past, the media has been used to convey a country's cyber warfare capabilities with strategic leaks of classified information (e.g. Operation Olympic Games) to some news outlet as part of a country's unofficial cyber deterrence strategy. Now, the United States has taken a more direct, nuanced and official approach by outlining its military doctrine without, presumably, detailing the capabilities of U.S. offensive cyber weaponry. The Pentagon presentation made it easier for the Chinese leadership to discern the infamous “red line” for the United States regarding Chinese cyber attacks and improved the signaling mechanisms between the two countries. 

Another sign for the willingness towards de-escalation is the recent announcement by the Obama White House that the NSA will more openly share intelligence on zero-day vulnerabilities—security holes in software that are unknown to the vendor and are exploited by hackers before they can get fixed. There is a loophole of course: the NSA can still withhold information in case of a “clear national security or law enforcement need.” Yet, as a spokeswoman for the US National Security Council states:  “This process is biased toward responsibly disclosing such vulnerabilities.” 

This is almost certainly part of a carefully planned publicity campaign, and it is primarily meant to assuage the U.S. private sector, which, more than ever, is vulnerable to losing global market shares to foreign competition after the revelations of its tacit cooperation with US intelligence agencies. Nevertheless, the zero-day vulnerability announcement is also a clear signal to U.S. adversaries that the United States is interested in stabilizing cyberspace by its willingness to “unilaterally disarm”, parts of its cyber arsenal.   

Technological inferiority is still a grave concern to Chinese top military brass. As Major General Wu Jiangxing, president of the PLA Information Engineering University, stated in an interview: “The gap is that China does not have a cyber army, whereas the United States has established a Cyber Command, certainly with cyber warfare units.” This refrain, heard time and again from the Chinese side, however, has so far not yielded any diplomatic benefits.  The U.S. offer on quasi-unilateral disarmament (or at least the discussion thereof) may be a first step in mollifying corresponding Chinese fears. 

However, despite the recent emphasis by senior Chinese leadership on cyber security, the reaction by the Chinese government has so far been tepid and no discernible reciprocal steps have been taken by, for example, the People’s Liberation Army. On the contrary, as the 2014 Mandiant Report states:  

The Chinese government is expanding the scope of its cyber operations, and China-based advanced threat actors are keen to acquire data about how businesses operate—not just about how they make their product . . . Despite the recent accusations and subsequent international attention, APT1 and APT12’s reactions indicate a PRC interest in both obscuring and continuing its data theft. This suggests the PRC believes the benefits of its cyber espionage campaigns outweigh the potential costs of an international backlash. 

It is now China’s turn to remove some of the veils covering its activities in cyberspace in order to de-escalate tensions. While there is an inherent asymmetry between U.S. and Chinese military capabilities in related technology, this should not be used as an excuse by the Chinese leadership to avoid a more open engagement with the United States in the coming months and try to break the cyber stalemate between the two rivals. 

Photo Credit: U.S. Secretary of Defense via Flickr

“The Internet is the greatest revolution in human history.” Neelie Kroes, Vice President, European Commission, at NETmundial.  

Just weeks before the World Cup, the Brazilian government hosted 800 people in São Paulo at the two-day “NETmundial” meeting to discuss Internet governance principles and institutional structures. Roughly equally divided among representatives of governments, corporations, civil society and technologists, the in-person participants were supplemented by hundreds of netizens assembled in “remote hubs” on every continent.

The meeting opened with a video featuring vignettes of young people smiling and saying “It’s My Internet!” Brazilian president Dilma Rousseff followed by signing with great flourish the just-passed “Marco Civil,” a law establishing a comprehensive framework of privacy and other legal protections for consumers and providers of the Internet in Brazil. With three billion users now online, and the impending arrival of billions more from developing countries, it is surely time to figure out how this global resource will be managed.   

A sense of being present at an unprecedented moment in the discourse regarding the future of the Net pervaded the proceedings. The purpose of the conference, announced last summer by Rousseff after she learned her cell phone had been hacked by NSA, shifted in the ensuing months from a potential NSA-bashfest to an experiment using “multistakeholderism” to produce a 12-page non-binding “outcomes” document. While a majority present may have shared the view of one young Indian netizen that governments and companies are merely trustees of the Internet on behalf of the people who use it, the advocates of more traditional values and international decision-making processes were a vocal, if at times, unwelcome minority.

On the government side, senior delegations came from Brazil, Canada, the EU, Germany and the U.S., along with official representation from China, India, Iran, Russia, Saudi Arabia, South Korea and most of Latin America. Governmental attitudes ranged from hopeful, to cynical, to disoriented. Civil society, on the other hand, enjoyed the limelight and the opportunity to advocate publically on human rights, gender balance, net neutrality, free access to information and surveillance. These themes are reflected, albeit somewhat tentatively, in the conference’s final product. The technical and academic community was fascinated, and very much in their element. Companies, with good reason, were nervous: while the outcome is non-binding, it could become fodder for incorporation in the International Telecommunication Regulations that will be revised in October at a meeting in South Korea. 

Multistakeholderism, like many young life forms, is an awkward and somewhat tentative thing. Seven languages spoken with consecutive translation, four sectors represented plus the remote hubs, representatives standing in line to make two-minute interventions, and the open observation of the small drafting groups produced a slow and only “rough” consensus. And, with no governmental representatives on the drafting groups, one had the unique experience of seeing Canadian, German and U.S. cyber ambassadors leaning in, straining to try to hear the deliberations. 

The agenda for human rights (and precious little was heard about the responsibilities that attend rights) was fired by post-Snowden concerns: freedom of expression requires privacy, and governments have the primary legal and political responsibility to enforce human rights. And yet they are the architects of mass surveillance, coercing unwilling firms into participation. Indeed, even a Chinese data services provider argued for a safe harbor from liability to their customers in such coerced situations. The outcome document implies that the actions of such intermediaries should be subject to international human rights norms, as a matter of policy if not of law. Rousseff noted that human rights thrive under the shelter of the state, not in its absence. 

This meeting may have been the first convocation of a global Internet polity, focused on “what benefits humanity as a whole” and working toward what World Wide Web inventor Tim Berners-Lee termed a “global Magna Carta” to make the Internet a “territory of trust.” Yet, a variety of governments, including China, Cuba, Ecuador, India, Indonesia, Russia and Saudi Arabia defended traditional multilateral processes for making global decisions, along with the sovereign rights of the state in Internet matters within their boundaries. The state is apparently not dead yet, even on the Internet. 

In the end, the answer to the question, “Is the meeting about governance of the Internet on the Internet, or in the era of the Internet?” seemed to be “All of the above.” The Internet, a force for democratization, must itself be democratically managed, and the movement to inculcate multistakeholderism into other international organizations was just launched in São Paulo. 

Photo credit: Blog do Planalto

_

Bruce McConnell piece also appeared on the Foreign Policy Association Blog and the International Policy Digest. 

Conference presentations were organized by topic in more than 70 sections—each section based on different subfields or areas of study. Many presentations were interdisciplinary, drawing scholars from different fields and providing a variety of perspectives. In 2013, over 5,700 participants—from the United States and 55 countries throughout the world—presented more than 4,700 papers. Kostyuk's paper was presented during the panel on “Policy Challenges in the Internet Age.”

By doing so, this global team of science, technology, engineering and mathematics professionals continues to set the fundamental tenets of a common language within the cybersecurity domain. This bilateral collaboration began several years ago and produced Critical Terminology Foundations, the first report, which contained 40 terms and was released in 2011. 

Valery Yaschenko, senior vice-director of Lomonosov Moscow University’s Security Institute, explained, “Our goal is to avoid technical and scientific arguments and offer clear and useful ‘political’ definitions.” Plans are underway for this work to extend to Chinese, French, Hebrew and other languages. 

EWI Senior Vice President Bruce McConnell emphasized the importance of further cooperation with the Russian team and suggested they jointly explore other critical areas, such as critical infrastructure protection and the cyber arms race.

Click here to download full report: Critical Terminology Foundations 2

Last week the Chinese state-run Xinhua News Agency announced that Chinese President Xi Jinping is personally presiding over a newly founded government body entitled the Central Internet Security and Informatization Leading Group. A similar and less senior group, in the past headed by the Chinese Premier, has been in existence since 1993. The purpose of the new group is to “lead and coordinate Internet security and informatization work among different sectors, as well as draft national strategies, development plans and major policies in this field.” 

The exact mechanism, mission and scope of this new body are unclear. However, the two deputy heads of the group, Li Keqiang and Liu Yunshan, the former the leading figure behind China’s economic policy, the latter the director of the Propaganda Department of the Communist Party of China Central Committee, suggest that a principal emphasize will be placed on streamlining content control (e.g., internet censorship) and to ramp-up cyber security in the ever modernizing Chinese private sector. 

This new body reconfirms emphatically the strategic importance of cybersecurity to the Chinese leadership. Diplomats and foreign policy makers in both the United States and China can no longer deny that this issue will be of the utmost importance in the years ahead (Coincidentally, in the U.S. State Department, a new function has been added to the post of Under Secretary of State for Economic Growth, Energy, and the Environment, Catherine A. Novelli, as the Department’s Senior Coordinator for International Information Technology Diplomacy). It also confirms that even in the high echelons of power, leaders agree that cybersecurity can no longer be viewed in isolation, merely confined to the technical level and technical experts.  Cybersecurity permeates all spheres of the China-U.S. relationship in one way or the other, whether it is the relationship with Taiwan, human rights, trade negotiations, or military to military dialogues. 

With regard to the China-U.S. relationship in cyberspace in particular, impaired by the NSA scandal and accusations of Chinese industrial espionage, this new body should be seen as an incentive to more than ever push China-U.S. cooperation on a selective number of cybersecurity issues such as the protection of mutually beneficial critical information infrastructure from cyber attacks and better ways to cooperate on jointly combatting cyber crime. 

Ostensibly, this may seem difficult. The report of the U.S.-China Economic and Secuirty Review Commission bluntly stated that China has not cut down on its industrial espionage activities in the United States. Conversely, China has not stopped pointing out the alleged double standard of the United States on this subject, perennially citing the Snowden revelations as a backup. During the China-US Summit in June 2013 in California, Xi Jinping insisted that China was also a victim of “cyber theft.” President Obama characterized the discussions on cybersecurity “very blunt.” Even progress of the official China-US Working Group on cybersecurity, hailed as a step in the right direction, has also been very slow. 

Yet, given the volatile nature of the current world economy and the importance of both the United States and China within it, ways have to be found where both countries can cooperate on certain mutually beneficial issues, while circumventing their disagreements in other domains. For example, my colleague Dr. Greg Austin, in a keynote delivered at the 2014 Canada-US Cybersecurity Conference: Securing Our Financial Infrastructure proposes that China and the United States cooperate on the international protection for exchanges and clearing houses in cyberspace. 

Austin argues, “states should commit by treaty to the absolute protection in cyberspace of designated exchanges and clearing houses in the same way as they now commit to the absolute protection of diplomats as internationally protected persons and embassies as internationally protected premises.” For example, a China-U.S. working group could look at the 1997 Convention on Crimes against Internationally protected persons and use it as a framework for a “Convention on Internationally Protected Facilities.” Of course, this will be a tricky thing to sell to the private sector. Government intervention especially in the financial sector is a touchy political subject. Yet the risks in cyberspace are ever increasing and time for voluntary best practices may have run out. 

With regard to the United State and China jointly working on such a sensitive issue there is surprisingly a precedent from 2010. Back then, the United States and China were among some 24 countries to sign the 2010 Beijing Convention and 2010 Beijing Protocol, multilateral agreements which require states, inter alia, to criminalize cyber attacks (though the convention used a more general term of “new technologies”), and certain preparatory activities, that target civil air navigation facilities and aircraft in flight, as Austin outlined in his addressed. 

Perhaps then, the new emphasis by the Chinese political elite on cybersecurity, as exemplified by the new Central Internet Security and Informatization Leading Group, should be used by the United States to explore this option. 

Read the full piece on China-U.S. Focus. 

The current crisis in Ukraine has again made one thing very clear: Any future conflict will involve military activities in cyberspace. Last Friday, unidentified men seized several control centers in Crimea run by Ukrtelecom JSC, Ukraine’s telecommunications provider, essentially cutting off the peninsula from mobile, landline and Internet services. Conversely, RT (formerly known as Russia Today) was hacked by unknown assailants. There have also been reports that members of the Ukrainian parliament’s cell phones have been jammed. So far no other confirmed reports have emerged about cyberstrikes on Ukraine’s critical information infrastructure, and up to now hacker forums—a good indicator for “cyber mobilization”—have been remarkably quiet.

Of course, complex government-sponsored cyberattacks can evade detection, but the restraint shown by Russia is not without reason: Sophisticated cyberweaponry, such as the Stuxnet worm, is hard to contain and may affect Russia’s own network and communication nodes. A historical analogy would be the use of poison gas during World War I that could blow, depending on the wind direction, either way. However, the reach of cyberweapons transcends front lines.

The “blowback fear” is not as farfetched as it seems. Unlike Syria, where the country’s critical information infrastructure is highly centralized and where the Obama administration was contemplating cyberstrikes, Ukraine hosts a decentralized critical information infrastructure network and is served by many Internet Service Providers. As an analysis by Internet intelligence company Renesys states:

Ukraine has a strong and diverse Internet frontier, with more than 200 domestic autonomous systems purchasing direct international transit (out of a total of more than 1,650 domestic ASNs). The roads and railways of Ukraine are densely threaded with tens of thousands of miles of fiberoptic cable, connecting their neighbors to the south and east (including Russia) with European Internet markets. The country has a well-developed set of at least eight regional Internet exchanges, as well as direct connections over diverse physical paths to the major Western European exchanges.

Consequently, a “cyber knockout blow” will certainly have repercussions in Russia and other parts of the world. Also, unlike warfare in the real world, cyberwars are won and lost by private sector companies and their ability to protect their networks and spot attacks. Companies such as Gazprom and the Russian nuclear plants bordering Ukraine would be more affected by cyberstrikes due to their mere geographical proximity to Kiev. For now, both Russia and Ukraine appear to be limiting their cybercampaigns to minor exchanges mostly consisting of patriotic propaganda, low-key hacks, as well as physical protection and seizure of network infrastructures.

Russia also showed restraint during its 2008 invasion of Georgia when conducting its cyberwar campaign against the country’s digital assets. The attack consisted mostly of Distributed Denial of Service Attacks, which knocked websites offline for a few hours to days, jammed network communications and disrupted military communication nodes. Russia refrained from destroying civilian critical information infrastructure, such as power plants or digital records in hospitals. Some analysts argued Russia feared that a revelation of its more sophisticated cyberweaponry would tilt the asymmetrical cyberarms race between Russia and NATO even more in favor of the latter.

Today, NATO is playing a role in Russia’s consideration about launching a full-scale cyberwar against Ukraine, as well. NATO could quickly be drawn into the cyberaspects of the conflict by Ukrainian hackers planting false digital leads, which attribute attacks on NATO’s critical information infrastructure to Russia, pitting both sides against each other. Attribution, after all, is still one of the most complex problems in cyberspace, and the greater and more intense a cyberconflict is, the more difficult it will become to trace back the origins of cyberstrikes.

As during the Georgia-Russia War, patriotic hackers are the frontline troops in this conflict—the grunts of cyberspace. Ukrainian hackers have a reputation for talent and ingenuity, and it will be a hard battle for Russian cyberwarriors to obtain what the U.S. Air force calls “cyber superiority” (i.e., network domination), even if it is to Russia's advantage that much of Ukraine’s telecommunications infrastructure was built during the Soviet era.

Almost by definition, this will be a covert war, and we will see only some marginal reflections in public. In reality, there is no certain way to assess Russia’s true intentions and activities in cyberspace.

Yet, given what we know from open-source intelligence, Russia, will most likely exercise constraint in its activities in cyberspace during this crisis regardless of its outcome. The question whether cyberwar will happen over Ukraine is a non sequitur: Cyber may be the fifth domain of warfare, but it is the only domain that permeates all other spheres (air, land, sea, space); therefore, it will play a role no matter what. If a shooting war starts, cyberattacks—particularly on anti-aircraft systems, military and civilian communication nodes—may occur, but Russia will surely think twice before deploying the most sophisticated cyberweapons in her arsenal. 

Photo Credit: mediageek