Me Thinks They Doth Protest Too Much: Espionage in the Cyber Age

This past weekend brought more Snowden flakes about NSA spying. However, this time the alleged espionage targeted not American citizens, “foreign nationals reasonably believed to located outside the US,” or China but American allies–European Union (EU) officials, diplomatic facilities, and computer networks. If true (as seems likely from US government responses–see below), these leaks combine with the previous disclosures about NSA surveillance to inform people of the scale, capabilities, and audacity of US intelligence gathering activities.

European leaders expressed shock and took much umbrage, with some dredging up the dark spying days of the Cold War and others issuing threats of adverse consequences for upcoming US-EU negotiations on a transatlantic trade agreement. Responses from President Obama, the Director of National Intelligence, and Secretary of State made the same point–the US engages in espionage as all nations do in order to protect foreign policy and national security interests.

This response was simultaneously true and disingenuous. All countries spy in some form or another, and, European public displays of anger aside, the spying includes keeping an eye on allies. And that includes the intelligence agencies of European countries whose leaders were shocked–so shocked!–at the US gathering intelligence on their possible future actions. The response was disingenuous because the US has an intelligence capability that is unrivaled in the world and the political and economic power to pursue espionage without fear of serious consequences. See, for example, the US-EU transatlantic trade talks will start as scheduled despite lots of frothing Euro mouths.

However, not too long ago, it was American officials and politicians who were frothing about Chinese cyber spying against the US government and US-based companies. Snowden’s apparent disclosure of large-scale US cyber espionage against Chinese government, business, and academic targets and, now, allegations about US spying on European governments, makes the past few months of portraying Chinese cyber espionage as beyond the pale look, well, less impressive. Even the US attempt to distinguish economic espionage against companies from classical state-on-state spying gets lost in the growing perception–now directly re-enforced by the US government–that all countries engage in espionage against allies and rivals whenever and however they see fit. In this light, earnestly repeated assertions by China that it does not engage in cyber espionage against the US and other countries and that it is the innocent victim of American spying appear, strangely, rather unseemly for a rising world power.

Should the protagonists in these events stop whining about espionage and just get on with it? Or, do these revelations suggest that the Internet has turned “everybody does it” espionage into an out-of-control phenomenon that damages individual privacy, alliances, and great power politics and requires some re-thinking? Existing international law is permissive of spying, and the few international legal rules that contain limits do not constrain the practice in any effective way. As already indicated, Snowden’s leaks have derailed the US effort to portray Chinese cyber espionage as outside “norms of responsible behavior in cyberspace,” and the coordinated chorus from top US government officials to the latest leak that “all nations do it” might well have ended the willingness of other countries to consider American ideas about re-thinking international norms about espionage in light of the global importance of the Internet.


Call Me, Maybe: New US-Russia Cybersecurity Initiatives

At the G-8 meeting in Northern Ireland, the United States and Russia made efforts to improve bilateral relations, and these efforts include new initiatives on cybersecurity that mean, according to the White House, the US and Russia “now are leading the way in extending traditional transparency and confidence-building measures to reduce the mutual danger we face from cyber threats.” These initiatives involve:

1. Deeper engagement through senior-level dialogue. Through the existing US-Russia Presidential Bilateral Commission, the two countries are establishing a new working group tasked with assessing emerging threats to information and communication technologies (ICTs) and proposing joint responses to such threats.

2. ICT confidence-building measures. The US and Russia agreed to implement new confidence-building measures (CBMs) “designed to increase transparency and reduce the possibility that a misunderstood cyber incident could create instability or a crisis in our bilateral relationship.” The CBMs seek to strengthen US-Russian relations in cyberspace, expand a shared understanding of cyber threats that appear to originate in each other’s territories, and prevent escalation of cybersecurity incidents. The CBMs adopted are:

    – Links and information exchanges between the US and Russian computer emergency readiness teams (CERTs) to increase information sharing between the two countries on “technical information about malware or other malicious threats” in order to facilitate “proactive mitigation of threats.”

    – Exchange of cybersecurity notifications that will permit communications and “formal inquiries about cybersecurity incidents of national concern.” Such information exchanges and inquiries will flow through the existing Nuclear Risk Reduction Center, established in 1987 between the US and the former USSR, in order to facilitate reduction of “misperception and escalation from ICT security incidents.”

    – Direct cyber hotline between the White House and the Kremlin to provide a secure means to “manage a crisis situation arising from an ICT security incident.” The direct cyber hotline will be integrated into the existing Direct Secure Communication System the two countries maintain.

The White House also indicated that, in order to “create predictability and understanding in the political military environment, both the U.S. and Russian militaries have shared unclassified ICT strategies and other relevant studies with one another. These kinds of exchanges are important to ensuring that as we develop defense policy in this dynamic domain, we do so with a full understanding of one another’s perspectives.”

These steps by the US and Russia are important for cybersecurity because the two countries are applying approaches used in arms control contexts (e.g., CBMs and “hotline” communications) to cybersecurity challenges. This strategy dovetails with needs emphasized in cybersecurity policy–the need for better “situational awareness” and transparency through increased information exchange and for stronger, more effective cooperation among key countries through functional collaboration at the technical level and political interactions among high-level officials.

Although based on long-standing arms control strategies, their application to cybersecurity will develop its own features given the differences between addressing cyber threats and, say, preventing nuclear war. In arms control contexts, CBMs have, at best, a mixed record, so we should not expect “iCBMs” to be a panacea for cybersecurity problems experienced nationally or internationally. The US-Russian initiatives do not restrain, for example, cyber espionage or development of more powerful military cyber capabilities or resolve disagreements the US and Russia have over broader cyberspace issues, such as Internet governance and “Internet freedom.” But the US-Russia initiatives provide a test case for understanding whether legacy strategies from arms control, such as CBMs and hotlines, can contribute to stabilizing geo-cyber politics.

“Peace with Justice”: Nuclear Weapons and Cyber Surveillance

In his June 19 remarks at the Brandenburg Gate in Berlin, President Obama stressed the theme of achieving “peace with justice” in addressing challenges the United States and its allies face–and two of the challenges he highlighted are of interest to the readers of Arms Control Law–nuclear weapons and cyber surveillance against terrorism.

Nuclear Weapons

Press reports have often focused on the President’s proposal to reduce the numbers of US and Russian nuclear warheads by one-third from the levels set in the New Start Treaty. But the President’s remarks went beyond this proposal to lay out an even more ambitious agenda of nuclear diplomacy for his second term.

After declaring that “so long as nuclear weapons exist, we are not truly safe[,]” the President said:

Peace with justice means pursuing the security of a world without nuclear weapons — no matter how distant that dream may be. And so, as President, I’ve strengthened our efforts to stop the spread of nuclear weapons, and reduced the number and role of America’s nuclear weapons. Because of the New START Treaty, we’re on track to cut American and Russian deployed nuclear warheads to their lowest levels since the 1950s.

But we have more work to do. So today, I’m announcing additional steps forward. After a comprehensive review, I’ve determined that we can ensure the security of America and our allies, and maintain a strong and credible strategic deterrent, while reducing our deployed strategic nuclear weapons by up to one-third. And I intend to seek negotiated cuts with Russia to move beyond Cold War nuclear postures.

At the same time, we’ll work with our NATO allies to seek bold reductions in U.S. and Russian tactical weapons in Europe. And we can forge a new international framework for peaceful nuclear power, and reject the nuclear weaponization that North Korea and Iran may be seeking.

America will host a summit in 2016 to continue our efforts to secure nuclear materials around the world, and we will work to build support in the United States to ratify the Comprehensive Nuclear Test Ban Treaty, and call on all nations to begin negotiations on a treaty that ends the production of fissile materials for nuclear weapons. These are steps we can take to create a world of peace with justice.

Predictably, this agenda has sparked questions, skepticism, and opposition. But, with the speech, the President made clear that he wants his presidential legacy linked with global progress toward a world without nuclear weapons.

Cyber Surveillance and Terrorism

In a less noted section of the speech, the President included the challenge of “balancing the pursuit of security with the protection of privacy” within the “peace with justice” agenda. Here the President was referring to the international controversies caused by the disclosure of secret US surveillance programs, including PRISM, which targets Internet communications of foreign nationals. The President’s host, German Chancellor Angela Merkel, has been one of the leading European politicians to raise concerns about PRISM. The President said:

Our current programs are bound by the rule of law, and they’re focused on threats to our security — not the communications of ordinary persons. They help confront real dangers, and they keep people safe here in the United States and here in Europe. But we must accept the challenge that all of us in democratic governments face: to listen to the voices who disagree with us; to have an open debate about how we use our powers and how we must constrain them; and to always remember that government exists to serve the power of the individual, and not the other way around. That’s what makes us who we are, and that’s what makes us different from those on the other side of the wall.

Unlike pushing nuclear diplomacy forward, President Obama, no doubt, did not plan to talk about this issue in this speech but was forced to do so by the fallout from the disclosures. Here, the President defends what he believes is “peace with justice” in terms of the balance his administration struck between preventing terrorism and protecting civil liberties. This balance, and the process through which it is achieved, he distinguished “from those on the other side of the wall”–a phrase that resonates with memories of physical walls of the past and worries about virtual walls of the present. Whether Americans agree with the President about what should happen on our side of the wall remains to be seen, an outcome that will also affect how history remembers this President.

Has Code Become Law? The Liberty Implications of NSA Technological Capability

The furor sparked by disclosure of secret U.S. government surveillance programs reminded me of the famous argument about the relationship of liberty and cyberspace—Harvard Professor Lawrence Lessig’s assertion that, in cyberspace, “code is law.” By this, Lessig meant that the software code that makes the Internet and related technologies run empowers and restricts behavior and, thus, regulates activities in cyberspace. Lessig warned that the regulatory effects of code could displace constitutional traditions and threaten political liberty unless deliberative democracy controls the power that software code creates.

The United States is now debating the legality of power the U.S. government claims it possesses in cyberspace—a power that includes collecting daily the records of phone calls made by millions of Americans. Defenders of the surveillance programs argue that this power, and its secret exercise, is necessary to prevent terrorist attacks. However, arguments that covert government activities are vital for national security are not new; they are as old as politics and, in the United States, a traditional source of skepticism in a Republic self-governed by a free people. The argument from necessity has been fountainhead of abuses in the past, but it has never before been the justification for the mass collection of information on the daily communications of millions of Americans not suspected of any wrongdoing, let alone involvement with terrorism. So what explains why we hear this justification now?

What is new is the technological capability of the U.S. government to collect, mine, and use that information in the name of national security. Technological innovation permits the private sector (think Facebook and Google) and the government—and the NSA in particular—to develop data storage and data-mining capabilities that permit the acquisition and analysis of almost unimaginable amounts and kinds of digital information. The fundamental enabler of this unprecedented capability is software code. Here, code is power.

Prior to development of this code-based capability, it was not feasible to collect and analyze records on the daily communications of millions of Americans in a timely or useful manner—making arguments for the national security necessity of doing so pointless. But, now, the U.S. government can undertake mass surveillance and, apparently, produce actionable intelligence from Americans’ local phone calls that thwarts terrorist attacks. Here, code creates a vital national security interest where none existed before.

In the American tradition, the Constitution and the Bill of Rights provide the sword and the shield against government attempts to exercise power against Americans for national security reasons, and opponents of the secret surveillance of Americans’ telephone calls have turned again to this arsenal. However, we have to ask whether the technological capability to undertake surveillance on a scale never before possible has changed interpretations of the law the government used, namely Section 215 of the PATRIOT Act. Many have re-read Section 215 in light of recent disclosures and have been unsettled to learn it justifies the daily collection of data about the communications of law-abiding Americans because the U.S. government is investigating international terrorism.

Are we now interpreting laws, including constitutional principles, differently because we can, with software-enabled technologies, do things that were impossible before and that our history suggests we should resist, especially when coupled with the argument of national security need? If so, is software code defining the law and the scope of liberty?

Just as Americans have often been wary of arguments that the exercise of expansive, secret government power is justified by national security necessity, the unfolding debate in the United States should also interrogate arguments that the government must exercise such power because, now, it can.

Why the WTO is not an Appropriate Venue for Addressing Economic Cyber Espionage

Using the WTO to Respond to Economic Cyber Espionage?

US policy concerns about cyber espionage continue to grow, especially traditional and economic espionage allegedly conducted by China against the US and US companies through cyber technologies. Today (February 11), the Washington Post reported on a new National Intelligence Estimate focused on a “massive cyber-espionage campaign” directed at the US private sector by China. Concerns about economic cyber espionage include deepening frustration because the options available to the US to address cyber espionage are few, and the use of the limited options, such as criminalizing economic espionage in national law, have not proved much of a deterrent before or after spies began exploiting the Internet.

In the debate about how to counteract economic cyber espionage, cybersecurity heavyweights are encouraging the US to use the World Trade Organization (WTO) and its rules on intellectual property in the Agreement on Trade-Related Intellectual Property Rights (TRIPS) to address economic cyber espionage. On February 7, 2013, Richard Clarke argued in an op-ed that “victims of Chinese economic espionage should seek to establish clear guidelines and penalties within the World Trade Organization system[.]” In a Center for Strategic and International Studies (CSIS) report released on February 8, 2013, James Lewis argued that the US should use the WTO in its strategy against Chinese economic cyber espionage (see pages 49-51 of the report).

The recent appearance of these WTO arguments by Clarke and Lewis suggests that these influential experts perceive policy traction with these proposals is possible. Indeed, the Washington Post reported in its February 11 story that the Obama administration is considering, among other options, making “complaints to the World Trade Organization.” However, the idea that the WTO can prove useful to the US in addressing economic cyber espionage is not convincing legally or politically. The US should not view the WTO and TRIPS as appropriate venues for confronting the problem of economic cyber espionage.

Read the rest of this entry »

Becoming Binary Amidst Multipolarity: Internet Governance, Cybersecurity, and the Controversial Conclusion of the World Conference on International Telecommunications in December 2012

Arms control experts know that national security policies are embedded in larger concerns about the balance of power in international relations. The contentious outcome of the World Conference on International Telecommunications (WCIT) in Dubai in December 2012 demonstrates that cybersecurity is similarly tethered to geo-political competition over power and influence. The WCIT ended in acrimony because of disagreements on issues fundamental to the Internet’s place in national and international politics. These disagreements reflect deep differences among states on Internet and cyberspace governance–differences that produce incompatible notions of cybersecurity and a difficult environment in which to pursue international cooperation on this security problem.

The UN’s International Telecommunication Union (ITU) convened the WCIT to negotiate changes to the International Telecommunication Regulations (ITRs), a treaty adopted by ITU member states in 1988 to foster more effective cooperation on provision of international telecommunication services (e.g., telegraph and telephone). Since 1988, the global emergence of the Internet has revolutionized international telecommunications, making the ITRs essentially irrelevant to issues raised by the Internet’s astonishing growth and profound economic and political implications. The initiatives and processes that produced the global Internet took place outside the ITU and other intergovernmental institutions in “multi-stakeholder” forums, such as the Internet Engineering Task Force (IETF) and the Internet Corporation for Assigned Names and Numbers (ICANN).

Since at least the early 2000s, a number of countries, including China, Russia, and many developing nations, have expressed concerns about these multi-stakeholder processes and have sought to increase the role of governments, intergovernmental institutions, and international law in such governance. An important element in this challenge has been the perception that the status quo gives the United States a dominant position not justified in the context of a global Internet. The United States and its like-minded allies opposed efforts in ITU forums, such as the World Summit on the Information Society (2003-2005), to move from multi-stakeholder approaches to more intergovernmental influence and control.

The WCIT became the latest diplomatic venue for this clash of interests and ideas. Although the ITU Secretary-General repeatedly said that the WCIT would not be about Internet governance, ITU members proposed changes to the ITRs that put Internet governance, whether narrowly or broadly conceived, on the negotiating table. These proposals fueled arguments that the WCIT constituted a threat to a free and open Internet. The WCIT opened in a highly politicized environment and was not able to achieve sufficient compromises to produce consensus. In the end, 88 countries–including many African states, Brazil, China, Iran, and Russia–signed the revised ITRs, and 55 nations–including the United States and members of the European Union (EU)–did not sign the revised treaty. (For more legal analysis of the revised ITRs, see my American Society of International Law Insight on the WCIT and the revised ITRs.)

The United States was the most prominent opponent of the revised ITRs, and its opposition centered on Internet-related issues, namely expanding the scope of the ITRs to reach providers of Internet services, adding provisions on network and information security and on spam to the revised regulations, and attaching a non-binding resolution addressing Internet governance. For the United States, the revised ITRs threatened the multi-stakeholder approach and opened possibilities for countries to use the revised regulations to justify censorship in cyberspace, disrupt innovation, and harm the economic potential the Internet supports.

Looking more specifically at cybersecurity, the WCIT and its outcome did not create controversies in this policy space because problems have existed for years concerning how to improve cooperation on this issue. In brief, countries have disagreed about what “cybersecurity” or, as other countries prefer, “information security,” means. In addition, distrust among countries has increased, national moves to strengthen cyber defenses and capabilities have heightened worries, and high-profile incidents of cyber attacks, especially Stuxnet, have deepened anxieties. International cooperation has developed more in regional contexts than at the multilateral level, as illustrated by the Shanghai Cooperation Organization’s agreement on information security, NATO’s development of a cyber defense policy, and the EU’s recent announcement of its cybersecurity strategy.

However, the WCIT worsens the already questionable prospects for multilateral cooperation on cybersecurity for the foreseeable future. The two sides of the Internet governance debate hardened and entrenched their respective positions through the WCIT and the revised ITRs. China, Russia, and other supporters of the revised ITRs will, in all likelihood, use the ITU and the revised ITRs to press their ideas and interests on Internet issues, including what they perceive as security threats in this realm. The United States has announced that it will continue to oppose changes to Internet governance attempted through the ITU and the WCIT and will move to strengthen its cyber diplomacy through leveraging its allies in Europe (e.g., the EU and NATO) and intensifying bilateral cooperation with other countries, especially on cybersecurity.

This binary context of opposing factions adversely affects more than hopes for internationally agreed controls on cyber weapons (to the extent such hopes have survived to this point in time); it also challenges the role of Internet-relevant norms–binding and non-binding–in an international political environment that is experiencing confrontation and contestation about the Internet and cyberspace. Revelations subsequent to the WCIT’s conclusion–including allegations of Chinese hacking of major US newspapers and reporting on scaled-up US military cyber capabilities and secret “rules of engagement” for US cyber operations–have deepened the sense that power politics in cyberspace has entered a new and potentially more dangerous phase.

Did Stuxnet breach the UN Charter’s ‘Principles’?

On 28 September, the Iranian Foreign Affairs Minister Ali Akbar Salehi addressed the UN Security Council at the High Level Meeting on Countering Nuclear Terrorism (the text of the speech can be read here). Among other things, in the speech Salehi criticized cyber attacks against Iranian nuclear facilities and qualified them as ‘manifestation of nuclear terrorism and consequently a grave violation of the principles of UN Charter and international law’ (the emphasis is mine).  This might be the first time that Iran has taken an official and explicit position with regard to the (il)legality of Stuxnet, at least in an international forum (on the ‘conspiracy of silence’ that surrounded Stuxnet, see David Fidler’s interesting article in Privacy Interests, July/August 2011).

The question however is, which UN Charter principles were allegedly breached by Stuxnet? Assuming that Salehi used the word ‘principles’ in a technical sense, the Charter’s principles are famously listed in Article 2. Principles 5, 6 and 7 are not relevant in the present case. Principle 2 merely refers to the duty to comply in good faith with the obligations arising from the Charter. On the other hand, Principle 1 reaffirms the sovereign equality of states, a corollary of which is the prohibition of intervention in internal affairs of other states. According to the International Court of Justice, the prohibition of intervention is ‘part and parcel of international law’ (Nicaragua v. United States (Merits), 1986, para. 202). The 1970 UN General Assembly’s Declaration on Friendly Relations condemns ‘armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements’, and also emphasizes  that ‘[n]o State may use or encourage the use of economic political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights and to secure from it advantages of any kind’ (the emphasis is mine). The language is broad enough to cover intervention by means of cyber attacks when they have a coercive purpose, i.e. when they aim at coercing the target state into doing or not doing something that the state is otherwise legally entitled to do. But if the (non-forcible) intervention is a reaction against something that the target state was not legally entitled to do, i.e. a breach of international law, then it could amount to a lawful countermeasure aimed at persuading the wrongdoing state to stop the breach and provide reparation. From this perspective, the legality of Stuxnet would therefore depend on: 1) whether Iran’s nuclear programme is an internationally wrongful act in the form of a violation of NPT obligations; 2) whether the state(s) behind Stuxnet (if any) were ‘injured’ by Iran’s breach or were otherwise entitled to adopt countermeasures in relation to it under the law of state responsibility (see Arts. 42, 48 and 54 of the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts); 3) whether Stuxnet amounted to a ‘use of force’ (countermeasures cannot affect the prohibition of the use of force: Art. 50 (1) of the ILC Articles); 4) whether non-proliferation law is a special regime that has its own enforcement mechanisms (see Sahib Singh’s chapter in my and Dan’s book).

The third condition leads me to discuss the other two relevant principles in Article 2 of the UN Charter that might determine the illegality of Stuxnet. Principles 3 and 4 are two sides of the same coin and affirm the obligation to settle international disputes peacefully and not to resort to armed force in international relations. Whether Stuxnet is a violation of these two principles depends on whether it can be qualified as a use of ‘armed force’. I have already addressed this issue here, so I will limit myself to refer to the points I make in that article. The recently released draft of the Tallinn Manual on Cyber Warfare (text here) argues, in Rule 11, that ‘[a] cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’. It then suggests several non-exhaustive factors in order to determine when it is so (pp. 49-50). In the end, the Manual concludes that Stuxnet was a use of force (p. 47) and, at least according to some of the experts that drafted the Manual, even an ‘armed attack’ (p. 56). I do not think that Stuxnet reached the scale and effects threshold of an armed attack, but, as it did cause material damage of some significance, I do not see any problems with qualifying it as a use of force, for the reasons I try to explain in my article. It should also be noted that, unlike the previous case of the principle of non-intervention, the legality of Stuxnet as a use of force would not depend on whether Iran has breached the NPT: under Article 51 of the Charter, force can be used only if an armed attack ‘occurs’. Even if Iran were developing nuclear weapons, it would not have committed an armed attack until it actually uses them.

To sum up. If Stuxnet was a use of force, then the responsible state(s) breached the principles listed in Article 2 (1), (3) and (4) of the UN Charter. As countermeasures cannot consist of a violation of the prohibition of the threat and use of force, Stuxnet would be illegal even if it were established that Iran is in breach of the NPT. If however Stuxnet is not considered a use of force, it would be a breach of the principle of non-intervention, unless it amounts to a lawful countermeasure against Iran’s alleged breach of its non-proliferation obligations.

I would be interested in your thoughts on this.