After the release of a report this week revealing significant gaps in cybersecurity among states, the private sector, and international institutions questions remain about what to do moving forward. My colleague, Ryan Kaminski, who holds a B.A. from the University of Chicago and a M.A. from Columbia University, offers his assessment.
In a recently published report (.pdf), the cybersecurity firm McAfee alleges that it blew the whistle on a five-year-old global malware network dubbed, “Operation Shady Rat” (OSR). Relying on targeted phishing strategies, aptly designated as “spear phishing,” the document claims that OSR was able to infect seventy-two government and other institutions in more than a dozen countries, potentially siphoning loads of sensitive information along the way. Targets include the United Nations (UN), U.S. government, the International Olympic Committee, and the World Anti-Doping Agency among others.
Dmitri Alperovtich, the author of the report and a senior analyst with McAfee, doesn’t spill the beans on who is behind OSR, but most experts point the finger at China.
This is not terribly good news and, unfortunately, neither was the coverage the report received.
Rushing to coin their own cyberjargon, news outlets referred to OSR as a worldwide “cyberspying,” “cyber espionage,” or “cyberattack” tool aimed at critical state-level and global institutional architecture. There are two problems here. First, these terms all have significantly different connotations. Second, it is anyone’s guess whether organizational heavyweights like the United Nations or the United States government were the targets of a half-decade transnational spying effort, espionage campaign, or attack strategy.
This encapsulates a much larger issue in the realm of cybersecurity; namely, the absence of a robust global cyber-lexicon. Quite simply, there are virtually no universally agreed-upon guidelines at the broadest of multilateral levels that distinguish general, everyday, spying from an abhorrent, unprovoked attack. To retool a popular phrase: one state’s cybersnooping remains another’s cyber Pearl Harbor.
High level policy makers and diplomats need to clarify these types of distinctions. In 2007, for example, Estonia reportedly considering invoking Article V of NATO’s charter in response to hackers that stalled Estonian banking and government websites. At the time, most in Estonia believed the operation was launched by the Kremlin. Luckily, Estonia backed off averting a major clash in diplomatic relations. (Ultimately, a student of Russian descent living in Estonia was charged for the incident and fined about $1300).
The United States, other great powers, and emerging powers should derive guidelines for appropriate policy responses to anything from e-mail phishing to coordinated disturbed denial-of-service attacks designed to crash websites and, in turn, government or critical infrastructure-related activity. Council on Foreign Relations senior fellow Adam Segal has called for the US to make “cyber declaratory statements” and engage in “informal multilateralism” to delineate what it considers acts of cyberwarfare versus fair game when states make use of cyberspace. These are crucial steps, but they must be coupled with efforts at achieving a more universal and enforceable cybersecurity mechanism.
This involves conceptualizing so-called minilateral forums like the Group of Eight or Group of Twenty nations not as ends in themselves, but as launching pads for developing a more formalized pact in the future.
The Nuclear Non-Proliferation Treaty (NPT), Biological and Toxin Weapons Convention (BTWC), and Chemical Weapons Convention have already accomplished the kind of international compact that cybersecurity requires. The BTWC, for example, not only enumerates a multitiered schedule of legitimate and non-legitimate chemical agents a state can possess (like tear gas), it also places an affirmative obligation on states to prevent chemical attacks from being executed within their territory. The NPT includes a detailed bifurcation of peaceful and non-peaceful uses of nuclear energy. Together, all three enjoy overwhelmingly support from the international community, and have encouraged both the implementation and maintenance of global standards of conduct.
If treaties regarding the use of cyberspace were created, the rogue use of cyberspace becomes more costly and less likely. The effect is not only less ambiguity in deciding to respond to events like OSR, but also deterring them in the first place.
Nevertheless, critics of establishing a global cyber accord continue to argue that not all states will join a global cyber regime and that it will be incredibly difficult to reach a consensus amongst so many different actors, cyber-capabilities, and interests. Yes, North Korea and friends may choose to take their bats (or flash drives) and go home. However, there will always be outliers, and this has not precluded global cooperation in the past. Although building a consensus among 193 UN member states connected to the Internet will be difficult, the ad hoc, one country-one policy approach of today is untenable.