By Meric Sar
“Dr. Strangelove: Of course, the whole point of a Doomsday Machine is lost, if you keep it a secret! Why didn’t you tell the world, EH?
Ambassador de Sadesky: It was to be announced at the Party Congress on Monday. As you know, the Premier loves surprises.”
– Dr. Strangelove, 1964
Chinese President Xi Jingping’s recent visit to U.S. may be paving the way for the super powers to enter into a mutual arms control agreement in relation to cyberwarfare, the first of its kind. Considering cyberwarfare and its regulation have grave implications for freedom of expression, the right to privacy, net neutrality and security of persons, human rights advocates should keep a close eye on this development.
On Sept. 25, in a press conference, President Barack Obama and President Xi declared their governments’ mutual intent to establish greater cooperation in fighting cybercrime. They vowed to refrain in the future from harboring malicious cyberactivities targeting the other’s information and communication systems. Remarkably, the parties also declared their interest in exploring the prospect for an international code of conduct applicable to states in relation to cyberwarfare.
This comes after the world witnessed the rapid development of cyberwarfare methods in the last decades. The risks posed by cyberwarfare makes its disruptive potential perhaps only comparable to nuclear weapons. Indeed, the dependency on information and communication technologies at all levels of modern life—from the power grid to satellites, banking systems and medical facilities—makes a cyberapocalypse a scary possibility when governments are willing to spend vast resources on malicious technologies to gain the upper-hand in a wartime scenario.
“YOU SHALL NOT HACK YOUR NEIGHBOR!”
Although it is premature to talk about a conclusive agreement, the common agenda of the U.S. and China at the recent talks had three main points: (1) greater executive cooperation in information sharing; (2) a greater commitment in policing domestic perpetrators of cyberattacks and refraining from providing any support to these groups; (3) and developing an international code of conduct for states to follow in relation to the regulation of cyberwarfare.
Both countries are already on the way to creating an executive system for information sharing and mutual assistance in the investigation of cybercrimes concerning malicious activity identified by either side. Furthermore, they will establish a high-level joint dialogue mechanism with the involvement of the intelligence community, which will be charged with the monitoring and reviewing this system.
Moreover, both heads of state also declared their commitment to “making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community,” and agreed to create a senior experts group to develop a framework with the July 2015 report of the U.N. Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security in cyberspace in mind.
The U.N. experts report reflects a multilateral understanding on certain norms, the majority of which were proposed by the U.S. Some of these include that states should not knowingly damage each other’s critical infrastructure using cyberattacks, should not target each other’s cyber-emergency responders in case of an emergency, and should assist other nations investigating cyberattacks and cybercrimes launched from their territories.
THE COSTS OF CYBER-WARFARE
In its simplest form, a cyberattack is conducted for purposes of espionage with an aim to break into someone else’s IT system, most often with an aim to retrieve trade secrets and other confidential information. Although cyber-espionage may seem to be a simpler form of cyberwarfare, its asymmetrical nature makes it particularly troublesome for an economy like that of the U.S., which relies heavily on advanced technological know-how. A single act of cyber-intrusion may result in tremendous losses in the form of leaked trade secrets and intelligence. Often, the financial impact of the attack will greatly outweigh the marginal costs necessary to facilitate such an act, which can be orchestrated by few hackers with modest resources. Furthermore, using moderate technical measures, the source of a cyberespionage attack can easily be cloaked. An important characteristic of the internet in China is that telecommunications infrastructure enabling online access routes are mostly owned by the government. This makes it essential for U.S. to gain access to the monitoring capacities of the Chinese government to be able to investigate and punish cyberattacks by Chinese individuals targeting U.S.
According to the chief of the NSA, General Keith Alexander, the loss of industrial know-how and related intellectual property through cyber-espionage constitutes the “greatest transfer of wealth in history,” as U.S. companies reportedly lose about $250 billion per year through intellectual property theft, and $338 billion due to cybercrime in general. Recently, China was also identified by the F.B.I. as the chief suspect for various cyberattacks, which exposed sensitive personal information of millions of U.S. government employees. The massive scale of the economic loss and national security vulnerability associated with cyber-espionage originating from China makes it an utmost priority for Obama administration to pull China into a fair game.
“ZERO DAY” WARFARE
Although some commentators are skeptical about whether China can be trusted to honor its commitment to refrain from state-sponsored cyber-espionage, an international regime of stability with regards to cyberspace is equally indispensable for a country like China, especially considering its ever-growing reliance on information technology systems to be able to sustain its economic development. This is where “zero day” cyberwarfare, the exploitation of unpatched software vulnerabilities that cannot be defended against, poses disturbing risks for China. Thus, China may greatly benefit from stronger cooperation with U.S. authorities and their unmatched capabilities in cyberwarfare so that it can develop state-of-the-art defense mechanisms.
A “zero day” attack is a form of cyber-sabotage that exploits a previously unknown (or undisclosed) vulnerability in a computer application. Often the developer of the application may not be aware of a “zero day” vulnerability in the software or application that he or she has designed. It is known as a “zero day” vulnerability because once the flaw becomes known and exploited, the developer of the computer application has zero days to mitigate its exploitation.
Normally, when a cybersecurity expert reveals a “zero day” vulnerability in a particular software, he or she should communicate the vulnerability to the software’s developer so that the developer can devise a method to fix the vulnerability and protect its clients from abuse. Avoid doing this, and the unfixed vulnerability will render other computers installed with the same software prone to attack from criminal hackers, corporate spies and foreign intelligence agencies, who may have obtained the knowledge of the vulnerability through other means.
A cyberattack that uses “zero day” vulnerabilities of operating systems could seamlessly take down a whole factory or nuclear plant. The most famous computer virus using “zero day” exploits was discovered in 2010, and was given the name Stuxnet. Stuxnet is believed to originate from a secret collaboration between the U.S. and Israeli governments. It was designed to damage certain nuclear facilities in Iran by infiltrating the targeted computers at the facilities in an effort to curb Iran’s nuclear enrichment activities. The virus relies on previously unknown vulnerabilities of operating systems, and can spread across a computer network without notice, infecting all the computer systems it encounters. The virus stays dormant until it reaches its target computer, at which point it can be activated to disrupt the computer’s system without revealing itself to the victim. Reports claim that the concept for Stuxnet originated from the renowned cyber-strategist General James E. Cartwright, who was the head of the U.S. Strategic Command, the agency responsible for nuclear deterrence, under the Bush Administration.
“DON’T ASK, DON’T TELL!”
Disturbingly, for a long period of time the N.S.A. followed a deliberate “nobody but us” policy restricting its officers from disclosing any “zero day” software vulnerabilities they reveal in the software they are using. Under this policy, when a NSA employee uncovers a “zero day” vulnerability on a piece of software (e.g. in the current version of Microsoft Windows), he or she has to keep the information secret in order to afford U.S. authorities a security hole in the systems of its adversaries that are using similar software. This policy has given U.S. government considerable advantage in “zero day” warfare methods.
Although the U.S.’ “nobody but us” policy may sound like an effective strategy to secure the upper hand for “offensive” purposes, it is far from convincing as a policy for maintaining “security” at home. Instead of encouraging transparency and timely dissemination of information to stakeholders in public and private industries in order to tackle technological vulnerabilities in a coordinated fashion, the NSA’s strategy relies on obscurity and informational asymmetry, rendering the national security itself open to abuse by malicious insiders or hackers.
The advances of the U.S. in “zero day” cyberwarfare do not mean that the U.S. has the sole monopoly over such tools either. In fact, Stuxnet is open source technology—meaning that currently anyone can download the source code and modify it for their own purposes.
A BEHAVIORAL EQUILIBRIUM
The current state of cyber-affairs can be compared to the intense period of nuclear armament that preceded the Limited Nuclear Test Ban Treaty, the signing of which took 18 years following the Hiroshima disaster. Perhaps we are approaching a behavioral equilibrium for super-powers in a way resembling the logic of the Cold War. Considering the mounting current costs and future risks for both China and the U.S. posed by an unregulated cyberspace with irresponsible actors, there is a large incentive for establishing rules that are internationally respected.
Cyber-attacks do not only target governments and corporations. NGOs and activists are also regular targets of such attacks. However, U.S.-China discussions thus far have failed to address such non-commercial civilian concerns. An international treaty on cyberspace may be an important first step. However, without addressing important civil issues such as free speech and net neutrality, international cyberspace law will not go far from merely representing the “policing” concerns of governments and intellectual property corporations. We must be wary of such a scenario as it will likely cause the internet to lose its truly “international” character and result in the fragmentation of internet into “fiefdoms” behind national walls.
Meric Sar is a Staff Writer for Rights Wire.
The views expressed in this post remain those of the individual author and are not reflective of the official position of the Leitner Center for International Law and Justice, Fordham Law School, Fordham University or any other organization.
Photo credit: Chris Robers/Defence Images