When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 8 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

“A strange game, Dr. Falken. The only winning move is not to play.”

– the WOPR, WarGames (1983)

In the last post, we discussed various approaches to an international response to cyber-conflict, including arguments that an international effort is unnecessary or detrimental to U.S. interests. Each approach has its benefits and drawbacks, and none is comprehensive. Current international law is difficult to apply and subject to wide interpretation when it comes to cyber-attacks. Recognizing this, I have been trying to make a normative point with many of my prior posts, setting the stage for why a new framework is needed from the perspective of public policy.

In this eighth and final posting, I’d like to take the time to re-frame the problem more widely, demonstrating why more is needed to protect cyberspace and why a new perspective is necessary.

A Quest for Cyber Peace

In 2011, the International Telecommunication Union and the World Federation of Scientists published a joint report called The Quest for Cyber Peace.[i] No other approach to the problem of cyber-war is as comprehensive, as it unifies many of the theories and approaches outlined in the last post. More importantly, it establishes a needed ethical paradigm which helps to combat troublesome peripheral trends I just mentioned.

The authors of the ITU report argue that an essential notion is missing from most discussions of cyber-war: a concept of “cyber-peace.”[ii] Without a concept of peace, the issues become framed in the negative, “stimulating military thinking patterns” and hardening conceptions of the topic into a “mental automatism.”[iii] This is not an unknown idea in the theory of war,[iv] and it is a position I have been championing here. In an era where countries are increasingly setting up new military command centers in preparation for “cyber-war,” a positive notion of cyber-peace helps counterbalance and de-inflate those efforts.

Cyber peace is the idea of a “universal order of cyberspace.”[v] It views cyberspace as a place of tranquility, without disturbance, violence, or any other constraint by governments on people’s peaceful exchange of knowledge.[vi] Cyber peace resists the use of cyberspace as a tool for “diplomacy by other means”[vii] and other forms of exploitation.

The tenets of cyber-peace are well-supported by internationally endorsed norms, such as Article 19 of the Universal Declaration of Human Rights, which establishes “the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” It also inculcates the WSIS declaration that freedom to communicate is an “essential foundation” of society.

When viewed in this way, a sane and ethical position on many issues becomes clearer.

First, a defensive emphasis is needed—something I alluded to in the last posting. To accomplish this, every party in the global information network (vendors, private companies, international organizations, and governments) must equip themselves with resilient systems which are high in quality. They should be able to adapt and self-heal. International standards bodies must rigorously certify equipment and make standards information open and widely available.  To further promote this, nations should enter into mutual monitoring pacts and non-aggression treaties.[viii]

Complementary to this idea is recognizing that a defensive emphasis is not  the same as a “deterrence” emphasis. A defensive emphasis is not our government’s current posture of defending by threat and counter-attack, because that posture only serves to inflame and escalate other countries to develop better methods of the same. Nations need to recognize that a strategy of deterrence does not work in cyberspace because the problems of attribution are too great and the risk of retaliation against the wrong target too high.[ix]

Next, the priority in any cyber-attack should be the quick restoration of peace and stability rather than attribution and counterattack. Thus, international law should be restrained in the face of calls to expand the Laws of Armed Conflict’s definition of war. Such a position equally views as unacceptable offensive attacks, preemptive attacks used for “defense,” countermeasures, or attacks used to enforce sanctions (like Stuxnet).

Finally, the notion of a peaceful cyberspace is expansive enough to transition beyond the concept of state-on-state cyberattacks to include a state’s attack on its own citizens. Recent trends in surveillance and surreptitious manipulation of the citizen’s computer and data have been very disturbing. These trends are part of what Cory Doctorow calls “a civil war on general purpose computing.” Several recent examples include FinSpy (a commercial cyber-espionage tool used by deposed Egyptian dictator Mubarak, among others); the German government’s “bundestrojan,” (used by German police to conduct surveillance on citizens, with the complicity of several anti-virus software vendors to ensure it would not be discovered); and the Dutch government’s recent proposal to pass a law allowing police to install malware on citizens’ computers and even conduct remote searches on foreign computers.

The Erice Declaration on Principles for Cyber Stability and Cyber Peace[x]

For your perusal, I have included the Erice Declaration below, which has been adopted by the ITU as part of its recommendations:

1. All governments should recognize that international law guarantees individuals the free flow of information and ideas; these guarantees also apply to cyberspace. Restrictions should only be as necessary and accompanied by a process for legal review.

2. All countries should work together to develop a common code of cyber conduct and harmonized global legal framework, including procedural provisions regarding investigative assistance and cooperation that respects privacy and human rights. All governments, service providers, and users should support international law enforcement efforts against cyber criminals.

3. All users, service providers, and governments should work to ensure that cyberspace is not used in any way that would result in the exploitation of users, particularly the young and defenseless, through violence or degradation.

4. Governments, organizations, and the private sector, including individuals, should implement and maintain comprehensive security programs based upon internationally accepted best practices and standards and utilizing privacy and security technologies.

5. Software and hardware developers should strive to develop secure technologies that promote resiliency and resist vulnerabilities.

6. Governments should actively participate in United Nations’ efforts to promote global cyber security and cyber peace and to avoid the use of cyberspace for conflict.

My Own Position

Nations have used international law to outlaw biological and chemical weapons, signed nuclear non-proliferation pacts, and banned the weaponization of space. It is similarly important that we turn our minds toward a new paradigm for cyberspace—one which describes the legal and ethical principles that would undergird a peaceful rather than a war-like cyberspace.

We should do this not merely because of cyber-war’s possible dire consequences or so that cyberattacks will not escalate into a real war, but because the Internet is exactly that – a network which exists because of a desire to interconnect and break down barriers to communication, not to make attacks easier. Thus, cyberspace is a place owned by all nations. All breaches of it should be unlawful; no unlawful act by one party should justify a complementary response by another.

As the WOPR (War Operations Planned Response) computer in the movie Wargames finally recognized after simulating the outcome of every possible attack scenario, only by holding fast to a notion of cyber-peace can we “win.”


[i] Dr. Hamadoun I. Touré, SECRETARY-GENERAL OF THE INTERNATIONAL TELECOMMUNICATION UNION, ET AL., THE QUEST FOR CYBER PEACE (2011), available at http://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN-WFS.01-1-2011-PDF-E.pdf.

[ii] Id. at 77.

[iii] Id.

[iv] See, e.g., Paul Goodman, A Causerie at the Military-Industrial (Oct., 1967).

[v] Id. at 78.

[vi] Id. at 78.

[vii] Carl von Clausewitz.

[viii] Id. at 84.

[ix] Id. at 96-97.

[x] Erice Declaration on Principles for Cyber Stability and Cyber Peace, World Federation of Scientists, Aug. 2009, www.ewi.info/system/files/Erice.pdf (drafted by the Permanent Monitoring Panel on Information Security of the World Federation of Scientists (WFS), Geneva, and adopted at the 42nd Session of the International Seminars on Planetary Emergencies in Erice (Sicily) on August 20, 2009).

Advertisements

~ by K. Miller on November 21, 2012.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: