Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum (2015)

3 International Relations and National Security

Cyberattacks can come from anywhere in the world. The relevant technology and expertise to conduct them across borders are widespread and exist in both the public and private sectors. Moreover, just as information technologies can be used to conduct crimes, they can be used as weapons to instigate or escalate conflicts and crises. Threats exist in such areas as cybersecurity attacks, electronic warfare, information operations, and psychological operations, with malevolent actors ranging from criminals and terrorists to entire nations. A cyberattack could escalate to the point where one of the parties views it as an act of war. The more apocalyptic scenarios consider what offensive cyber actions can do to highly developed states with critical infrastructures that depend on Internet capabilities.

Conventional weapons require huge investments, whereas small groups with much more modest resources can develop and deploy cyberweapons. Many actors see a cyberattack as an instrument of asymmetric warfare against the United States and the United Kingdom and their allies. They may not be able to compete on the basis of military hardware, but they can compete in cyberspace. For all these reasons, cybersecurity has critical international dimensions.

Governments face a trade-off between on the one hand using new exploits to gain access to the plans and actions of adversaries and, on the other, exposing and fixing the same exploits to increase the security of communications. The public wants transparency, but the public and private sectors must deal with the use of information technologies for national security threats. The private sector wants to protect privacy to maintain the trust of consumers but is subject to demands for information from governments.

Law Enforcement and Intelligence

Law enforcement generally does not have the capability to deal with the high level of criminal activity that is occurring on networks, which is why law enforcement agencies in some places have increasingly turned to intelligence agencies for help. It would be expensive to provide law enforcement with the capabilities already present in intelligence agencies, and duplicating a capability that already exists is inefficient.

An issue here is that intelligence and law enforcement have traditionally had different goals: law enforcement typically has reacted to crimes, while intelligence agencies typically have sought to prevent threats from being realized. Now law enforcement is being asked to prevent crimes as well, which is one reason it has called on the services of the national security community, especially for dealing with foreign threats inside their countries.

In the United Kingdom, legislation passed in 1985 (the Interception of Communications Act), 1994 (the Intelligence Services Act), and 2000 (the Regulation of Investigatory Powers Act) provided for using information technologies to tackle terrorism and serious crime. Though rarely used in the past, these provisions are now used frequently. Government funds national intelligence agencies to protect national security, including the protection of armed forces operating overseas, countering proliferation, and uncovering state-sponsored cyberattacks. These agencies have developed sophisticated means of electronic espionage, and law enforcement is keenly interested in using these same tools to attack crime.

The United Kingdom decided more than 20 years ago, well in advance of its European partners, to impose the same basic regime for limiting intrusive investigative activity on its intelligence activities as on law enforcement. Laws regarding intelligence aim at preventing intelligence from being used for political purposes or commercial advantage. Not all countries can be expected to adopt such a model, but it suggests norms that could increasingly be adopted. Intelligence agencies could be regulated by publicly accessible laws, not by secret laws or presidential directives. Intrusive methods could be authorized by a warranting process. Principles of proportionality and necessity could be written into law and imposed as legal requirements. Intelligence activity could be independently overseen, particularly when it supports law enforcement, by an independent court to assess claims of abuse and award redress if powers have been abused.

The existing regime of mutual legal assistance treaties may require modernization to tackle cybercrime and terrorism on an international scale. Acquiring data through these treaties can take many months, which is too long to prevent many crimes or deal with a national security emergency. There are increasing jurisdictional disputes as more countries pass laws entitling their police and intelligence services to

seize data held in other countries while forbidding foreign agencies to do the same. Minimum standards for warrants, transparency, and jurisdiction could be implemented through a new international agreement.

Network Effects in Surveillance

Technology companies tend to view influence and profits in terms of networks. They try to develop and establish operating systems, social networks, software platforms, and other products in the expectation that other people will add value to those products. This has implications for cybersecurity, in that the emphasis is on rapidly increasing the number of people who use a platform, not on securing it. For example, if there are a lot of users, developers will create apps for them, and if there are a lot of apps, users will find the platform more appealing. In markets ranging from mainframes to personal computers to routers to social networks, security has tended to be added, if at all, only in the later stages of market competition.

Network effects can be seen in the intelligence world as well. As intelligence increasingly acts more like an information industry, network effects related to where most of the information accumulates and who has access to it will come into play. Network effects can influence the actions of intelligence and law enforcement agencies. For example, network effects can entangle countries with other states that use, or provide, the same platforms. Low marginal costs and technical lock-in can make it very expensive for governments or other entities to build independent networks, even if they perceive a strategic advantage in doing so.

No matter their political inclinations, most policy makers have given little thought to network effects, even though these effects could have a powerful influence on the distribution of power in the future. For example, network effects could convey power from the leading countries to an association of developed democracies, in the same way that network effects have drawn countries outside the European Union into the association.

The economic models used in information technology (IT) and in government have traditionally been quite different. Applying lessons learned about network effects in the IT industry to international security and surveillance could prove fruitful and might illuminate strategic policy questions about surveillance, information sharing, and international affairs.

Private Companies in an International Arena

Private companies that operate in multiple countries often find themselves facing dilemmas in responding to requests from governments for the data they hold. These companies have to abide by the laws of the countries in which they are based, and these laws typically take one of three forms; they

• prohibit the disclosure of information;
• require the disclosure of information;
• are agnostic as to whether information has to be released.

Two main statutes affect the disclosure of information in the United States. The first is the Stored Communications Act, which prohibits communications companies from sharing or disclosing data except in certain situations. This law does not cover responding to foreign requests in most situations. The second is the Pen Register Act, which is part of the Electronic Communications Privacy Act. It prohibits companies from disclosing data that move across networks unless certain exceptions apply. In the United Kingdom, the main statute that covers the protection of personal information is the Data Protection Act, which implements the European Union’s Data Protection Directive. It prohibits the transfer of personal data to any country outside the European Economic Area, unless that country can ensure an adequate level of personal data protection.

As companies receive more and more requests from foreign countries, they have developed policies to try to address these requests. Many of the largest companies have published transparency reports that describe the legal processes associated with the release of information. These processes are very similar, although there are some differences from company to company.

In general, if the foreign country requesting the information respects the rule of law, has a good legal system and a good human rights record, and the request complies with the local law of the jurisdiction in question, then a company is much more likely to disclose the data. However, requests are considered on a case-by-case basis, which is a resource-intensive process. Sometimes companies have no choice but to curtail or eliminate their operations within a given country because of the legal demands or restrictions they face in that country.

The revelation that the U.S. government has conducted large-scale surveillance of entities outside the United States has led some countries to consider enacting laws that would impede such actions. Other countries also have sought to enhance their own surveillance authorities, as a way to protect their own citizens.

A proliferation of such laws would further increase the difficulties companies face in deciding how to respond to data requests. A country where a data subject is located may have a law that prohibits the release of data. Another country without such a law may be interested in those data and request them. Companies try to navigate their way around conflicting sovereign interests, but the situation is difficult and is likely to become more so. Current mechanisms would need to be improved or new ones found to satisfy each country’s sovereign interests.

Issues like these have arisen in other contexts, so precedents and models do exist for making decisions. For example, treaties are the classic way for countries to deal with disagreements. In the context of information, the most important treaties are mutual legal assistance treaties. In some cases, countries can take advantage of mechanisms unilaterally. For example, a country could say that it is permissible for companies within its jurisdiction to cooperate with requests from other jurisdictions in particular situations. In such a case, domestic law can facilitate information sharing without going through difficult treaty negotiations.

In a joint investigation, law enforcement in two countries may be interested in the same criminal act, in which case an agency in the first country can get information from data providers in that country and share it with authorities in the second country. Sharing of information among law enforcement agencies also can happen informally without opening a joint investigation. Other options are available for international data sharing, creating several choices for a given situation.

Other countries have been considering whether they should require the use of local service providers instead of nonlocal providers in the possibly naïve hope of blocking efforts by the U.S. government to gain access to data. Similarly, many countries are defining Internet sovereignty in terms of control and censorship, which could affect hardware, software, and conventional practices in those countries.

However, such laws are likely to increase costs, and they will not eliminate all security issues and may introduce new ones. They also will not necessarily advance the economic and social interests of those countries, since they erect what is essentially a tariff barrier, making it more expensive to offer digital services in that country while facilitating censorship and social control.

Companies will continue to struggle with the competing demands from different nation-states, but network effects will press against the desire to establish separate, closed Internets. The existing multistakeholder governance system for the Internet can help resolve some but not all jurisdictional problems.

Arms Control as a Model for Cybersecurity

Protection from hostile cyber actions falls into four broad categories:

• Cyberdefense – protecting important IT assets.
• Cyberdeterrence – dissuading adversaries from launching hostile operations.
• Cyberpreemption and damage limitation – reducing the capability of the forces that an adversary might use.
• Cyber arms control – can entail workable agreements with potential adversaries to reduce the likelihood of hostile cyber operations and reducing damage should hostile operations occur.

Arms control agreements can have varying scope. They can be universal, such as the Geneva conventions that prohibit attacks on certain kinds of targets. They can be multilateral or bilateral, such as the agreements among NATO members or between the United States and Russia. Or they can be unilateral, where one country takes action for such purposes as reassuring others about its true purposes. Arms control agreements also can have varying mechanisms. Treaties, memoranda of understanding, and coordinated unilateral policies can all control the actions of signatories to the agreement.

One application of an arms control framework to cybersecurity might involve limitations on acquiring offensive capabilities. However, verification, a key element in arms control, may be very difficult. The operational capability of such a limit would depend on research and development, not on delivering manufactured systems. Moreover, seeing activities in cyberspace is hard unless they are conducted on a large scale. Cyberoperations depend on deception. Behavior does not always reveal intent, and intent is important in cyberspace, as elsewhere. Understanding intent depends on deeper knowledge, which would if revealed enable the adversary to anticipate actions and mount more effective defenses. Finally, the instrumentation needed to gather data would likely be extensive, highly intrusive, and easy to evade.

Another application of an arms control framework could be limiting the use of cyberattacks, for example, on national financial systems or power grids. Such limits may require cooperative measures, such as electronic identification of prohibited targets, analogous to the time-honored painting of a red cross on a hospital or ambulance. Such arrangements may not ensure compliance, but they could create or reinforce international or national norms regarding the acceptability of such behavior and be enforceable through reciprocal threat. They could also help to inhibit overt threats or to clarify redlines in an escalation ladder.

Cyberdeterrence has major legal and policy implications. It can work at the legal, policy, or operational level. For example, deterrence could involve defining a line past which a response is swift, sure, and damaging. One problem, however, is that redlines are constantly moving as the issues and technologies evolve, thus increasing the need for dialogue. The importance of these issues further emphasizes the importance of simulations and exercises.

The most likely application of an arms control framework would be through confidence-building measures. Examples from traditional arms control include notification of activities that might be observed but misinterpreted, means for communication during times of tension, agreed conventions for behavior, and non-interference with gathering data for verification of compliance.

Even small steps could yield progress. Development of a common vocabulary and conceptual structure could enhance mutual understanding. The desire to curb activities that countries generally agree are illegal could foster international cooperation. And communicating during crises, differentiating espionage from attack, cooperating against third-party provocateurs, or declaring cyber ceasefires could prevent inadvertent escalation.

Making Progress on International Issues

The international dimensions of cybersecurity will have a profound impact on the future of IT. The freedom, governance, and stewardship of the Internet are in play. Issues such as cyber sovereignty, censorship, and net neutrality are all highly salient.

National cyber strategies for peacetime, conflict, crisis, and warfare could be strengthened. Procedures to engage with adversaries could be compared and correlated within a country and perhaps internationally, as through the formation of cyber alliances or confidence-building measures. Cyber architectures, technologies, designs, and innovations in such areas as the cloud, big data, encryption, and identity management could be tracked and their impacts on international relations assessed. Cyber-related command- and-control systems, battle management, and situational awareness could all receive much greater attention. Gaming, exercises, simulations, and other forms of assessment could enhance preparation.

Non-state actors are wild cards for managing stability, because they can instigate or escalate crises. The legal notion that states are responsible for the actions of their citizens is often unenforceable in today’s world. However, attribution of actions is not necessarily as difficult as many non-state actors assume it is. Non-state actors could be identified in a noncrisis period so that they do not continue to believe that they are acting anonymously.

International law and norms to protect against international cyberattacks could be strengthened. A nation that finds itself under a massive cyberattack should be able to call for and expect international support. Article 28 of the United Nations Declaration of Human Rights, which protects the rights and freedoms set forth in the declaration, applies in the online world as well as the offline world. International humanitarian law also applies in cyberspace. Principles of protecting civilians and avoiding collateral damage apply in cyberspace. If it is a war crime to drop a bomb on a hospital, it is a war crime to disable a hospital with a cyberattack.

The government cannot delegate to the private sector the responsibility to police the Internet. However, companies do have a responsibility to their shareholders and owners to protect their reputations. If a company makes no reasonable attempt to detect illegal activities or cooperate with authorities, its reputation can suffer. This is another reason for dialogue between the public and private sectors.

At an international level, existing and new norms could be established and reinforced. For example, the U.S. President has suggested one new norm—namely, that the defense should prevail in the choice between keeping a vulnerability for future covert use and disclosing it to bolster cyberdefense. The military logic is that the breach of a defense can be much more serious than losing the hypothetical value of a future tool. Similarly, nations could agree that nuclear command-and-control and space systems are off-limits to cyberattacks because such attacks might irrevocably destabilize an already tense situation. Another potential norm is that intelligence agencies will not monitor the communications of heads of state and government of close friends and allies except when there is a compelling national security purpose. However, attempts to set up a blanket no-spying agreement are not likely to succeed.

In law enforcement, a set of norms could define the principles of cooperation in international law enforcement. The main objective of the Budapest Convention on Cybercrime is to create a common policy for protecting society against cybercrime, especially by adopting appropriate legislation and fostering international cooperation. This first international treaty addressing Internet and computer crime had been ratified by 46 states as of June 2015. Other examples of cooperation include the exchange of airline passenger information, the sharing of watch-list data, and mutual legal assistance arrangements. However, data sharing can prove controversial when it conflicts with existing privacy laws.

Another possibility would be a cyber council, such as a standing body within the United Nations or another international organization, where discussions can take place as the issues and technologies evolve. All participating nations would need to buy in so that everyone has a voice and a stake in the process.

Within countries, organizations could be established to build “cyber bridges” between the needs and capabilities of the public and private sectors. Today such efforts are often piecemeal and temporary, but more permanent and substantial entities could be created. For example, institutions could work to bridge responsibilities and capabilities between law enforcement and intelligence agencies.

International cybersecurity activities, including international surveillance, require oversight. The general public cannot be invited into a national security agency, but proxies for the public could safeguard trust. These individuals would need training and guidance to do their jobs well, and they would need the right level of authority, but general principles could be established to guide their oversight.

As pointed out in Chapter 1, the potential of technology to protect bad actors remains a point of contention, as systems that offer extremely strong protection become increasingly available. Yet the use of unusually strong protections also could heighten the surveillance of the people who chose to use them. At the same time, even if stronger protections become more widely used, existing and new technologies that are less secure will continue to yield tremendous amounts of information about potential threats. As more and more information is digitized, it will become available to supplement traditional intelligence and law enforcement methods.

In many cases, laws do not align among countries. This places companies in the uncomfortable position of having to try to comport with irreconcilable laws simultaneously. Companies try to achieve a balance on these issues. Governments could enhance collaboration by providing more protection for or assistance to the private sector with regard to these challenges.

In addition to the usual conflicts between national interests, cooperation among countries in cyberspace is hampered by policy makers’ unfamiliarity with the issues, rapidly changing technologies, and not many precedents. The sociological issues are as important as, if not more important than, the technological issues in international affairs. These sociological issues comprise public policy, planning, organizational structure, legal affairs, governance, and leadership.

Countries have fundamental differences in their approach to such areas as human rights, free speech, and sovereignty. Views on democracy, privacy, intellectual property, and many other legal protections can have a strong influence on cybersecurity. Many kinds and levels of engagement and dialogue will be needed to accommodate different national perspectives, world views, policies, and technologies. However, network effects make it difficult for countries to withdraw from existing networks. One result is likely to be some degree of sociocultural convergence as people use the same tools and exchange information.