Stewart M. Patrick

The Internationalist

Patrick assesses the future of world order, state sovereignty, and multilateral cooperation.

Print Print Cite Cite
Style: MLA APA Chicago Close


Guest Post: Clash of Interpretations: Was the UN “Attacked”?

by Stewart M. Patrick
August 4, 2011

People use computers in an internet cafe in Shanghai. (Nir Elias/ Courtesy Reuters).

After the release of a report this week revealing significant gaps in cybersecurity among states, the private sector, and international institutions questions remain about what to do moving forward.  My colleague, Ryan Kaminski, who holds a  B.A. from the University of Chicago and a M.A. from Columbia University, offers his assessment.

In a recently published report (.pdf), the cybersecurity firm McAfee alleges that it blew the whistle on a five-year-old global malware network dubbed, “Operation Shady Rat” (OSR). Relying on targeted phishing strategies, aptly designated as “spear phishing,” the document claims that OSR was able to infect seventy-two government and other institutions in more than a dozen countries, potentially siphoning loads of sensitive information along the way.  Targets include the United Nations (UN), U.S. government, the International Olympic Committee, and the World Anti-Doping Agency among others.

Dmitri Alperovtich, the author of the report and a senior analyst with McAfee, doesn’t spill the beans on who is behind OSR, but most experts point the finger at China.

This is not terribly good news and, unfortunately, neither was the coverage the report received.

Rushing to coin their own cyberjargon, news outlets referred to OSR as a worldwide “cyberspying,” “cyber espionage,” or “cyberattack” tool aimed at critical state-level and global institutional architecture.  There are two problems here. First, these terms all have significantly different connotations. Second, it is anyone’s guess whether organizational heavyweights like the United Nations or the United States government were the targets of a half-decade transnational spying effort, espionage campaign, or attack strategy.

This encapsulates a much larger issue in the realm of cybersecurity; namely, the absence of a robust global cyber-lexicon. Quite simply, there are virtually no universally agreed-upon guidelines at the broadest of multilateral levels that distinguish general, everyday, spying from an abhorrent, unprovoked attack. To retool a popular phrase: one state’s cybersnooping remains another’s cyber Pearl Harbor.

High level policy makers and diplomats need to clarify these types of distinctions. In 2007, for example, Estonia reportedly considering invoking Article V of NATO’s charter in response to hackers that stalled Estonian banking and government websites.  At the time, most in Estonia believed the operation was launched by the Kremlin. Luckily, Estonia backed off averting a major clash in diplomatic relations. (Ultimately, a student of Russian descent living in Estonia was charged for the incident and fined about $1300).

The United States, other great powers, and emerging powers should derive guidelines for appropriate policy responses to anything from e-mail phishing to coordinated disturbed denial-of-service attacks designed to crash websites and, in turn, government or critical infrastructure-related activity.  Council on Foreign Relations senior fellow Adam Segal has called for the US to make “cyber declaratory statements” and engage in “informal multilateralism” to delineate what it considers acts of cyberwarfare versus fair game when states make use of cyberspace. These are crucial steps, but they must be coupled with efforts at achieving a more universal and enforceable cybersecurity mechanism.

This involves conceptualizing so-called minilateral forums like the Group of Eight or Group of Twenty nations not as ends in themselves, but as launching pads for developing a more formalized pact in the future.

The Nuclear Non-Proliferation Treaty (NPT), Biological and Toxin Weapons Convention (BTWC), and Chemical Weapons Convention have already accomplished the kind of international compact that cybersecurity requires.  The BTWC, for example, not only enumerates a multitiered schedule of legitimate and non-legitimate chemical agents a state can possess (like tear gas), it also places an affirmative obligation on states to prevent chemical attacks from being executed within their territory. The NPT includes a detailed bifurcation of peaceful and non-peaceful uses of nuclear energy. Together, all three enjoy overwhelmingly support from the international community, and have encouraged both the implementation and maintenance of global standards of conduct.

If treaties regarding the use of cyberspace were created, the rogue use of cyberspace becomes more costly and less likely.  The effect is not only less ambiguity in deciding to respond to events like OSR, but also deterring them in the first place.

Nevertheless, critics of establishing a global cyber accord continue to argue that not all states will join a global cyber regime and that it will be incredibly difficult to reach a consensus amongst so many different actors, cyber-capabilities, and interests. Yes, North Korea and friends may choose to take their bats (or flash drives) and go home. However, there will always be outliers, and this has not precluded global cooperation in the past. Although building a consensus among 193 UN member states connected to the Internet will be difficult, the ad hoc, one country-one policy approach of today is untenable.

Post a Comment 2 Comments

  • Posted by Doug


    You fail to acknowledge in your papers the benefits of not having an international treaty or institution with an enforcement capacity to prevent cyber warfare. While the larger mechanism of cyber warfare and attacks such as OSR can have drastic affects on the international community, not having a treaty still tangibly benefits individual states.

    For example, it benefits the U.S. for intelligence gathering purposes which result in economic, political and military advantages over other states. Just Google Computer Network Operations warfare or Cyber Command to see all the intelligence (offensive not defensive)jobs involving cyber warfare.

    One tangible effect of cyber ware is the ability of one country to steal technology from a competitor. This has happened several times in the last year, Iran Stuxnet virus and Chinese stealth fighter are the best examples of this. Both are excellent examples of how competing states are able to gain a technological advantage over each other or use cyber warfare as a system of checks and balances for their individual.

    One could argue it could serve as a “trust but verify” accountability mechanism. So cyber warfare is offensive relative capability or regulatory capability similar to that of Chinese manipulation and undervaluation of its currency.

    You will continue to see joint ventures to prevent the use of cyber ware fare as weapons of mass destruction, but you will not see states cooperate to a point where they are exposing their complete array of National Technical Means. Also, it is highly cost effective. People are not required to be physically present on the ground to make CNO or cyber crime work. This gives countries that do not have hundreds of billions of dollars to spend on defense or intelligence gathering an economic advantage. Why should they give that up? (For the greater good?)

    Why don’t you spend some time answering the following questions. Why would the benefits of creating an international consortium that regulates cyber war fare/crime and effectively intelligence gathering benefit the international community, especially when some states such as Pakistan are thought to be supporting terrorism? If a state such as Pakistan can’t control its internal political system, how in the world is it going to be able to prevent actors from using the internet as a mechanism for cyber crime and as a propagation tool for the recruitment of terrorists? If Pakistan’s inability to do this physical task (find Osama Bin Laden) is any indication of its effectiveness, how would it be effective if it joined an international anti-cyber warfare consortium? The answer is weak states would have to obtain or create defensive alliances with states that possess the capacity to monitor cyber warfare, or weak states would have to create the mechanisms. It would have to be in the immediate national security interests of the more powerful states to solidly back and effectively fund such initiatives with true enforcement capabilities. Why hasn’t this happened yet given all of the cyber attacks over the last four years?

    The U.S. runs the counter terrorism show in Pakistan, because it has been deemed in its immediate national security interests. The drone strikes are thought to be carried out by the U.S. The U.S. autonomously runs the counter terrorism operations in that part of world based on their interests, and until you can prove otherwise. A cyber treaty will have no tangible effect, because at the present the benefits outweigh the costs to states such as the U.S. and China. The U.N. didn’t sanction the Stuxnet worm, but it didn’t stop a state from conducting it and didn’t stop intellectual theft of billions of dollars worth of trade secrets. These actions benefit a specific party or group of parties.

    NATO can hold as many conferences as they want on countering cyber warfare. When the U.S. and its allies (Israel) stop spying on each other, and North Korea and Iran give up their nuclear weapons programs due to UN enforcement, your theory and laudable goals may come to fruition.

    Sent from my Blackberry
    Please forgive typos.

  • Posted by Faviola Suihkonen

    I really like the style in which this problem has been described. Often, browse the web about this and hardly anyone writes in such an accessible way.

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

* Required