Posts Tagged ‘cyberwar’
Monday reads: Internet activists’ limits in Iran; a middle ground for cyberwar; protests we saw coming
1. Internet activism running into its limits in Iran. Can a virtual movement survive without developing real-world institutions? (Foreign Policy)
2. Finding the sensible middle ground when it comes to cyberwar. Is there such a thing? (O’Reilly Radar)
3. Australian hackers rebel against content filtering. The sad thing is, government IT staff probably saw this coming, even if the Prime Minister didn’t. (The Canberra Times)
Perspective, Part II – Rethinking Google and China
The Net has enough commentary on the situation between Google and China, with the bulk of it focusing on whether this really amounts to Google walking the “don’t be evil” talk.
Over at The Atlantic, though, there’s a remarkable (and widely disseminated) post by Marc Ambinder that includes the following –
In the absence of an international treaty defining what cyber sovereignty consists of, it is hard to figure out the boundaries, much less police them effectively.
The geopolitics of cyber power suggests that centrally directed government espionage is…tolerated by U.S. officials.
…and…
There is no fear among U.S. officials that China would ever mount a crippling cyber attack against U.S. infrastructure, even though they have mapped our electrical grid and probably left behind some malware that could be triggerable at a later date. (For what it’s worth, the U.S. has also mapped China’s electrical grid.)
The entire post is remarkable, but these three sentences point to the international norms that have developed organically around the use of cyberspace to project power. Ambinder’s post is yet more confirmation that every day, no matter what governments or companies deny, information networks are subject to “attacks” – read unauthorized penetration and potential tampering – at a volume which is only hinted at, but is presumed to be stunning, and likely originates with governments as well as criminals. This happens largely out of sight, except for those directly involved – and it’s difficult to resist parallels with military activities in Afghanistan and elsewhere. We have come to accept, as a new norm, the unauthorized reconnaissance of networks that (presumably, but not always) exist within national boundaries – much as the international community already accepts, with a few glaring exceptions, that states will attempt to maintain surveillance of other states’ activities, without authorization.
The analogy doesn’t hold, though. Surveillance conducted in the physical world still presumes that sovereignty remains respected – and there are still several steps of tension between surveillance that a state perceives as “crossing the line” and outright conflict. If reconnaissance in an information network is accompanied by tampering – see Ambinder’s reference to malware that “could be triggerable,” above – the distance between reconnaissance and conflict is much, much shorter. If you accept the feasibility of the “Digital Pearl Harbor” threat (and I don’t), wouldn’t the placement of “triggerable malware” be the equivalent of finding, say, explosives rigged for remote detonation outside key infrastructure? Should there be a pattern of norms in cyberspace that is fundamentally different for that governing states’ behavior in the physical world?
Ambinder’s post hints that the pattern is actually closer to a MAD relationship (see the third quote above, emphasis on the for what it’s worth part), as existed between the U.S. and Soviet nuclear arsenals – with the implicit assumption being that this represents a sort of stability. I’m not sure that holds. What made MAD work was transparency – the impossibility of the surprise “first-strike” that negated the “mutual” part of MAD. That transparency is completely lacking when it comes to the use of power in cyberspace. There is near-zero attribution (officially, anyway) of activities, of tracing cyberwar back to identifiable cyberwarriors. There is a level of secrecy afforded to the cyber-environment that I’d wager tempts states to take more risks, producing greater instability over time.
Back to Google and China. Where this represents a landmark – or where it doesn’t – is in the transparency Google brought to the situation that developed. Fundamentally, Google’s decision challenges the international norm that has allowed activities like China’s to continue and proliferate across global networks. The proposition that Google’s decision implies is that if international actors are to interact on the global internet, a set of acceptable behaviors to govern their interactions must be defined through practice. Google’s decision in effect implies that current practice is unacceptable.
And it may be the case that only a non-state actor like Google, one not vested in questions of international power, could do this. Whether this challenge gains momentum – or whether we give up on the idea of a global internet altogether – remains to be seen.
Military robots and ethics – more debate, but still missing some questions?
In the BBC’s top technology stories tonight: a University of Sheffield professor of artificial intelligence states that a military robot’s ability to distinguish friend from foe reliably is still 50 years away, meaning that the technology needs restraint while the ethics catch up.
Regardless of whether it’s fifteen or fifty years, Moore’s Law practically mandates that the technology will outrace ethics and policies, absent a multinational commitment to constrain it. There are questions beyond rules of engagement as exercised by a semi-autonomous or autonomous robot – for instance, whether controllers, safely ensconced hundreds or thousands of miles away, constitute legitimate military targets. All such questions point to a grave potential – the probability that the growing use of robots could encourage rather than inhibit war, and expand the domain of the battlefield to include more civilians.
The same questions have been raised when it comes to cybersecurity, leading some to raise the idea of an international convention. If it comes about, it might need to aim at a larger ambition – to understand, and then govern automation as it advances and is applied to war.
Cyberwar and civil damage
From the front page of Sunday’s NY Times: the outlines of a continuing debate around the broader, unintended consequences of cyberwar.
This curious section appears about midway through the piece:
But some military strategists argue that these uncertainties have led to excess caution on the part of Pentagon planners.
“Policy makers are tremendously sensitive to collateral damage by virtual weapons, but not nearly sensitive enough to damage by kinetic” — conventional — “weapons,” said John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, Calif. “The cyberwarriors are held back by extremely restrictive rules of engagement.”
Despite analogies that have been drawn between biological weapons and cyberweapons, Mr. Arquilla argues that “cyberweapons are disruptive and not destructive.”
This seems odd, given Arquilla’s previously articulated concerns over “a grave and growing capacity for crippling our tech-dependent society [which] has risen unchecked,” and his advocacy for arms control in this area. Granted, he’s careful to distinguish “mass disruption” from “mass destruction,” but the line between mass disruption and simple destruction seems blurry. There would seem to be a great deal of nuance in advocating international controls on the one hand, and less restrictive rules of engagement on the other.
He does raise a point about interpretative differences as applied to both conventional and cyberweapons. Should there be a difference, especially if the full extent of collateral effects are unknown? The case study here might be electrical infrastructure – especially since it’s been featured so prominently in Department of Homeland Security arguments. As the LA Times has noted, the U.S. attack on Iraq in 2003 deliberately avoided attacks on electrical infrastructure – a significant change from the 1991 campaign, and its second- and third-order effects. If an attack on information networks has the same effect on electrical infrastructure as a conventional attack, should it be governed by the same rules? Or if it has the same second- and third-order effects as an attack on electrical infrastructure – regardless of whether or not the electrical infrastructure is targeted – should it be governed the same?
Underlying this debate is the simple trend towards a more integrated world, in material, communications, and social networks. It’s not a flat world by any measure, but the wiring continues to be put in place. As that happens it’s going to be even more difficult to separate warfare from its effects on civil society. So it’s important that this debate continue – to ensure, at a minimum, that the use of information systems to conduct war works to inhibit rather than encourage war.
Principles for defining cyberwar – a modest proposal
After re-reading yesterday’s link from Wired, I’m more convinced that it’s time to set a more precise definition for “cyberwar,” before the term gets further muddled, misused, and manipulated by politicians. These aren’t necessarily new – the issue’s been under debate in military legal circles since at least the mid-’90s – but hype and consequences seem to be outracing the debate.
Principle #1: A better definition of “cyberwar” should seek to inhibit rather than encourage war. Let’s start with the idea that “cyberwar” will include a set of acts, perpetuated through information systems, that by themselves legitimate an armed response. If we hope to limit armed conflict – and preserve the Internet as a forum for dialogue – we have a responsibility to keep the set of acts constituting “cyberwar” to a carefully limited domain. Which means…
Principle #2: It isn’t cyberwar unless it’s war. References to the “digital Pearl Harbor” scenario – some of which are oddly reminiscent of Y2K fears – tend to paint a picture of cybercrime on a massive, anarchic scale. Take this excerpt from a 2000 article in the Air & Space Power Journal. It’s worth quoting in its entirety:
“One step higher in the conflict spectrum is the situation where a government agent actually denied services, corrupted data, or placed alternate data in the target country’s computer system, resulting in a shutdown of that country’s infrastructure assets (loss of power, utilities, air traffic control, etc.) potentially causing chaos and death in the target nation. We have now undoubtedly entered the arena of offensive Information Warfare (IW). Although no bombs or missiles have been dropped or launched, the target country has suffered actual, tangible damage. It would be difficult, indeed, to convince the targeted country that they were not under attack. Most likely, the “victim” state would believe that they had the authority (and perhaps a “duty”) to defend themselves under the authority of Article 51 of the U.N. Charter. Surely most victim countries would perceive this as an “act of war,” “use of force,” or “act of aggression,” or whatever terminology they decided would best serve to justify their retaliatory action. Academic debate of semantics would abruptly end when news programs could broadcast images of the tangible results such as aircraft wreckage, starving city dwellers, hospital intensive care units without power, riots, et cetera, and negative attention would turn toward the aggressor state.”
The word on which this excerpt turns is in the third line: “…potentially causing chaos and death…” It’s a dangerous qualifier. It does seem sensible to include within the realm of “cyberwar” those acts which cause death and chaos, as long as we can precisely define chaos in terms of state sovereignty. But that word “potentially” tends to loosen the causation link between the act and the consequence. “Potentially” takes us away from [U-boat blockade = British starvation] to [financial system disruption = starvation], which I’m not convinced is the same thing. A definition of cyberwar that loosens causation – that, in other words, cannot demonstrate a direct, causal relationship between an intentional cyber-act and a violent outcome – blurs the line with cybercrime, and thereby makes the potential for war easier. Which implies…
Principle #3: Cyberwar should be attributable to cyberwarriors. Laws and conventions governing war require uniforms and markings. Military vehicles are marked as such, clearly distinguishable from, say, civil ships and aircraft. The more difficult it is to separate criminal acts from a legitimate use of force, the greater the opportunity for misattribution and retaliation…and the greater the temptation for states to engage in illegitimate uses of force.
This last point seems quaint – certainly, there’s a lag between laws and conventions defining war, and the technology used to wage it. But isn’t that the point? John Arquilla of the Naval Postgraduate School has pointed out that the Chemical Weapons Convention offers a solid precedent for restraining a “cyber arms race,” a race which will take on velocity if we can’t get our definitions under control.
Minor addendum, part I: With reference to principle #2 – and Arquilla’s own belief in the potential for a cyber 9/11 – is it really sensible to develop terms around the scenario of an act that’s limited purely to information systems? It’s unconvincing. Such an act, even if possible to the description outlined above, doesn’t seem rational. It would likely leave most military forces intact, which means that the attacked state would preserve significant potential for a very real and damaging response. A more likely scenario seems one in which a “digital Pearl Harbor” is accompanied by an actual Pearl Harbor…in which case the digital side is just a secondary accompaniment to a very real act of war.
Minor addendum, part II: As Arquilla also points out, Russia (“ironically”) has been advocating an agreement to govern cyberwar for 13 years. This NY Times article from June highlights the differences between U.S. and Russian stances.
Three for Tuesday
Seen around the cyber-halls on a Tuesday afternoon:
1. Courtesy of Slashdot and Spiegel Online: SWIFT, which handles transfers between financial institutions, is moving its servers and database from the U.S. to Europe. The EU is likely to let the U.S. to continue to monitor SWIFT transactions for anti-terrorism purposes…at least for now. How likely would approval have been if this move had been made during the Bush years? Will a change of…well, tone on the part of the Obama Adminstration be enough to mollify opposition to activities that arguably encroach on European privacy measures?
2. Over at Wired’s Dual Perspectives, Kim Zetter has an article that sort of makes the right point…that we need much improved definition around terms like “cyber war” and “cyber attack”…but then muddles that point with language like this: “In a battle where the militarized zone exists solely in the ether(net) and where anyone can wield the cyber-equivalent of a 10-ton bomb, how do we fight, let alone find, the enemy?” To illustrate the point, there’s a reference to the infamous Homeland Security video from 2007 about the U.S. power grid, and a story from 1982 (!) about a logic bomb that literally detonated a Siberian pipeline. I’m not convinced that you get anywhere close to un-muddling terms like “cyber war” until we stop using military metaphors that don’t really mean much, viz. cyber-equivalent of a 10-ton bomb.
3. Courtesy of North Korean Economy Watch: somebody put KCNA on Twitter. Which means that Twitter might just be pure entertainment.
Radical Instrument 