Crossed Wires: International Cooperation on Cyber Security

Conclusion

While cooperation on other transnational issues is often based around mutual interest and/or around relationships of trust, cyber security is problematic in both respects. Perhaps in part because of the broad implications of Internet technology, state interests in this context align at some times and they collide quite significantly at others. Furthermore, the attribution problem and its implications for transparency mean that trust is difficult.

In the case of a pre-existing security arrangement like NATO, the challenges of interpreting cyber security within a set of practices and policies conceived of to address kinetic conflict continue to play out and to limit clarity about possible retaliation. The ongoing problems of attribution and the interconnected nature of military and civilian systems make options for response complex and (at this stage) quite limited. In addition, there is much more work to be done on understanding the extent to which cyber security and war can be dealt with in the same conceptual, legal and practical frameworks. It is likely that extending war-related practices and policies to cyberspace will have limited utility in the long term.

For a ‘purpose built' mechanism for international cooperation on cyber security like the Budapest convention, aligning laws in cyberspace equates to aligning values on issues with diverse interpretations and approaches. Values and interests have always played a role in international cooperation of any kind but in the case of cyber security, the implications are so broad that an unusually wide range of factors must be taken into account and coordinated and this has proven challenging. Perhaps as significant as this has been the expectation by states of a more equitable and inclusive process – one that is not led by powerful states but one that takes into account more fully the views of those expected to participate.

This brief account of some of the political impediments to greater international cooperation on cyber security points to a broad range of issues that demand much more in depth and sustained attention from International Relations as a discipline. It is both surprising and puzzling that a discipline so well equipped to address issues of global security, cooperation, war, peace, power and competition has yet to contribute more significantly to understanding the implications of the information age. This special issue reflects the willingness, curiosity and capability of the next generation of IR scholars to address these questions and I am proud to be published in their company.

Author

Dr. Madeline Carr, Senior Lecturer in International Politics and the Cyber Dimension

References

Applebaum, A. ‘For Estonia and NATO, A New Kind of War', The Washington Post, 22 May 2007, p. A15 http://www.washingtonpost.com/wpdyn/content/article/2007/05/21/AR2007052101436.html.

Berinato, S. ‘The Future of Security', Computerworld, 30 December 2003 http://www.computerworld.com/s/article/print/88646/The_future_of_security.

Biddle, E.R. ‘Brazil: Cybercrime Law Could Restrict Fundamental Rights, Internet Openness', Global Voices Advocacy Blog, 8 November 2011 http://advocacy.globalvoicesonline.org/2011/11/08/brazil-cybercrime-lawcouldrestrict-fundamental-rights-internet-openness/.

Booth, K. & Wheeler, N.J. The Security Dilemma: Fear, Cooperation, and Trust in World Politics, New York, Palgrave Macmillan, 2008.

Carr, M. US Power and the Internet in International Relations: The Irony of the Information Age, London, Palgrave Macmillan, 2016.

Clarke, R.A. & Knake, R.K. Cyber War: The next threat to national security and what to do about it, New York, HarperCollins, 2010.

de la Chapelle, B. ‘Towards Multi-Stakeholder Governance – The Internet Governance Forum as Laboratory', in The Power of Ideas: Internet Governance in a Global Multi-Stakeholder Environment, Kleinwachter, W. (ed.), Marketing for Deutschland GmbH, 2007.

Convention on Cybercrime, Council of Europe, http://conventions.coe.int/Treaty/EN/Reports/Html/185.htm.

‘Cyber Warfare – Beyond Estonia-Russia, The Rise of China's 5^th Dimension Cyber Army', Asymmetric Threats Contingency Alliance (ACTA) Briefing, 30 May 2007, http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g.com/cgi/mi2g/press/300507.php.

Death, C. (ed.), Critical Environmental Politics, London, Routledge, 2014. ‘Estonia hit by "Moscow cyber war"', BBC News, 17 May 2007 http://news.bbc.co.uk/2/hi/europe/6665145.stm.

‘Estonia urges firm EU, NATO response to new form of warfare: cyberattacks', The Sydney Morning Herald, 16 May 2007 http://www.smh.com.au/news/Technology/Estonia-urges-firm-EU-NATO-response-to-new-form-ofwarfarecyberattacks/2007/05/16/1178995207414.html

Greenemeier, L. ‘Estonian ‘Cyber-Riot' Was Planned, But MasterMind Still a Mystery', Information Week, 3 August 2007 http://www.informationweek.com/news/showArticle.jhtml?articleID=2012 02784

Harley, B. ‘A Global Convention on Cybercrime?', The Columbia Science and Technology Law Review blog, 23 March 2010 http://stlr.org/2010/03/23/a-global-convention-on-cybercrime/.

Hern, A. ‘North Korean ‘cyberwarfare' said to have cost South Korea £500m', The Guardian, 16 October 2013 http://www.theguardian.com/world/2013/oct/16/north-korean-cyberwarfaresouth-korea.

James, S. ‘Hacktivist's Advocate: Meet the lawyer who defends Anonymous', The Atlantic, 2012 http://www.theatlantic.com/international/archive/2012/10/hacktivistsadvocatemeet-the-lawyer-who-defends-anonymous/263202/.

Keating, V. & Ruzicka, J. ‘No Need to Hedge: Identifying trusting relationships in international politics', Review of International Studies, 40:4 (2014), pp. 753-770.

Kydd, H., Trust and Mistrust in International Relations, Princeton, Princeton University Press, 2005.

Maude, F. The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, London, Cabinet Office, 2011.

‘NATO Probes Cyber Attacks on Estonia', Deutsche Welle, 18 May 2007, http://www.dw-world.de/dw/article/0,,2542756,00.html?maca=en-rss-enall1573-rdf.

Net Losses: Estimating the Global Cost of Cybercrime, Center for Strategic and International Studies, June 2014, http://www.mcafee.com/us/resources/reports/rp-economic-impactcybercrime2.pdf.

Obama, President Barack, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, Washington DC, The Whitehouse, 2011.

Rid, T. Cyber War Will Not Take Place, London, Hurst and Company, 2013.

Ruzicka, J. & Wheeler, N.J. ‘The Puzzle of Trusting Relationships in the Nuclear Non-Proliferation Treaty', International Affairs, 86:1 (2010), pp. 69-85.

Spafford, E.H. Testimony at Cybersecurity: Assessing our Vulnerabilities and Developing an Effective Response, hearing before the Committee on Commerce, Science, and Transportation, United States Senate, 19 March 2009.

Stoltenberg, J. ‘Zero-Sum? Russia, Power Politics, and the post-Cold War Era: Session at the Brussels Forum with participation of NATO Secretary General Jens Stoltenberg', NATO, 20 March 2015 http://www.nato.int/cps/en/natohq/opinions_118347.htm?selectedLocale=en.

Traynor, I. ‘Russia accused of unleashing cyberwar to disable Estonia', Guardian Unlimited, 17 May 2007 http://www.guardian.co.uk/russia/article/0,,2081438,00.html

Vatis, M. ‘The Council of Europe Convention on Cybercrime', Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, Washington, DC, The National Academies Press, 2010 http://www.nap.edu/catalog/12997.html.

Watney, M. ‘Cybercrime regulation at a cross-road: State and transnational laws versus global laws', International Conference on Information Society, 2012.

Wilson, C. ‘Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress', Washington DC, Congressional Research Service, 17 October 2003.

Endnotes

1. Maude, F. The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, (London, Cabinet Office, 2011). Obama, B. International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, (Washington DC, The Whitehouse, 2011).
2. This literature spans a broad range of issues but environmental politics has been particularly active. See Death, C. (ed.), Critical Environmental Politics, (London, Routledge, 2014).
3. de la Chapelle, B. ‘Towards Multi-Stakeholder Governance – The Internet Governance Forum as Laboratory', in The Power of Ideas: Internet Governance in a Global Multi-Stakeholder Environment, Kleinwachter, W. (ed.), (Marketing for Deutschland GmbH, 2007).
4. The treaty was introduced in 2001 and entered into force in 2004. As of 2015, 47 states have ratified the treaty while an additional seven have signed but not ratified. For a full list of participating states, see the Council of Europe website at http://www.coe.int/en/web/conventions/full-list//conventions/treaty/185/signatures.
5. DW Staff Writer, ‘NATO Probes Cyber Attacks on Estonia', Deutsche Welle, 18 May 2007, http://www.dw-world.de/dw/article/0,,2542756,00.html?maca=en-rss-en-all-1573-rdf and Traynor, I. ‘Russia accused of unleashing cyberwar to disable Estonia', Guardian Unlimited, 17 May 2007, http://www.guardian.co.uk/russia/article/0,,2081438,00.html.
6. ‘Cyber Warfare – Beyond Estonia-Russia, The Rise of China's 5^th Dimension Cyber Army', Asymmetric Threats Contingency Alliance (ACTA) Briefing, 30 May 2007, http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g.com/cgi/mi2g/press/300507.php.
7. Applebaum, A. ‘For Estonia and NATO, A New Kind of War', The Washington Post, 22 May 2007, p. A15 http://www.washingtonpost.com/wp-dyn/content/article/2007/05/21/AR2007052101436.html. Also, ‘Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks', The Sydney Morning Herald, 16 May 2007 http://www.smh.com.au/news/Technology/Estonia-urges-firm-EUNATOresponse-to-new-form-of-warfarecyberattacks/2007/05/16/1178995207414.html and ‘Estonia hit by ‘Moscow cyber war', BBC News, 17 May 2007 http://news.bbc.co.uk/2/hi/europe/6665145.stm.
8. In response to questioning from Russian policy maker Konstantin Kosachev at an alliance planning summit in March 2015, NATO Secretary-General Jens Stoltenberg said that a cyber attack would potentially elicit a military response from NATO. Transcript from ‘Zero-Sum? Russia, Power Politics, and the post-Cold War Era: Session at the Brussels Forum with participation of NATO Secretary General Jens Stoltenberg', NATO, 20 March 2015. http://www.nato.int/cps/en/natohq/opinions_118347.htm?selectedLocale=en. For media coverage of the problems with Article Five that immediately followed the Estonian attacks, see Traynor, I. ‘Russia accused of unleashing cyberwar to disable Estonia', Guardian Unlimited, 17 May 2007 http://www.guardian.co.uk/russia/article/0,,2081438,00.html.
9. It needs to be acknowledged here that DDoS attacks are now regarded at the very low end of cyber security threats with some even suggesting that they should be regarded as a legitimate form of political protest. (See James, S. ‘Hacktivist's Advocate: Meet the lawyer who defends Anonymous', The Atlantic, 2012 http://www.theatlantic.com/international/archive/2012/10/hacktivists-advocate-meetthelawyer-who-defends-anonymous/263202/.) DDoS attacks do not cause damage and are not used for theft. They block access to a site by bombarding it with requests – something like a crowd of protesters preventing access to a building. The difference is that in the context of a physical protest, all of those protesters are consciously participating whereas DDoS attacks often rely upon large numbers of illegally co-opted computers. However, in 2007 DDoS attacks were still regarded as an important part of the overall cyber threat matrix.
10. Carr, M. US Power and the Internet in International Relations: The Irony of the Information Age, (London, Palgrave Macmillan, 2016).
11. Wilson, C. ‘Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress', (Washington D.C., Congressional Research Service, 17 October 2003), p.1.
12. Greenemeier, L. ‘Estonian "Cyber-Riot" Was Planned, But MasterMind Still a Mystery', Information Week, 3 August 2007. http://www.informationweek.com/news/showArticle.jhtml?articleID=201202784
13. Keating, V. & Ruzicka, J. ‘No Need to Hedge: Identifying trusting relationships in international politics', Review of International Studies, 40:4 (2014), pp.753-770. Also Kydd, H. Trust and Mistrust in International Relations, (Princeton, Princeton University Press, 2005); Booth, K. & Wheeler, N.J. The Security Dilemma: Fear, Cooperation, and Trust in World Politics, (New York, Palgrave Macmillan, 2008); Ruzicka, J. & Wheeler, N.J. ‘The Puzzle of Trusting Relationships in the Nuclear Non-Proliferation Treaty', International Affairs, 86:1 (2010), pp. 69-85.
14. Clarke, R.A. & Knake, R.K. Cyber War: The next threat to national security and what to do about it, (New York, HarperCollins, 2010).
15. Rid, T. Cyber War Will Not Take Place, (London, Hurst and Company, 2013), p. xiv.
16. Technology journalist Scott Berinator traces the use of this term back to 1991 when it was used by D. James Bidzos, the president of a computer security firm. However, the term had become common amongst many policy makers by the late 1990s and continues to resonate with experienced cyber security commentators like Richard Clarke and Robert Knake. See Berinato, S. ‘The Future of Security', Computerworld, 30 December 2003 http://www.computerworld.com/s/article/print/88646/The_future_of_security.
17. Net Losses: Estimating the Global Cost of Cybercrime, (Center for Strategic and International Studies, June 2014), http://www.mcafee.com/us/resources/reports/rp-economic-impactcybercrime2.pdf. Note: these estimations are acknowledged to be very difficult for a range of reasons, not the least of which is the reluctance of many in the private sector to publically discuss such losses. For an explanation of how the authors arrive at this figure, see p. 6 of the report.
18. Spafford, E.H. testimony at Cybersecurity: Assessing our Vulnerabilities and Developing an Effective Response, hearing before the Committee on Commerce, Science, and Transportation, United States Senate, 19 March 2009, p. 28.
19. Convention on Cybercrime, Council of Europe, http://conventions.coe.int/Treaty/EN/Reports/Html/185.htm.
20. Convention on Cybercrime, Council of Europe, http://conventions.coe.int/Treaty/EN/Reports/Html/185.htm.
21. Biddle, E.R. ‘Brazil: Cybercrime Law Could Restrict Fundamental Rights, Internet Openness', Global Voices Advocacy Blog, 8 November 2011 http://advocacy.globalvoicesonline.org/2011/11/08/brazil-cybercrime-law-could-restrict-fundamentalrightsinternet-openness/. Harley, B. ‘A Global Convention on Cybercrime?', The Columbia Science and Technology Law Review blog, 23 March 2010, http://stlr.org/2010/03/23/a-global-convention-oncybercrime/.
22. Watney, M. ‘Cybercrime regulation at a cross-road: State and transnational laws versus global laws', International Conference on Information Society, 2012, p. 72.
23. This could apply to any number of developing states but it was highlighted with some force through speculation over recent attacks on South Korea – allegedly by North Korea. Hern, A. ‘North Korean ‘cyberwarfare' said to have cost South Korea £500m', The Guardian, 16 October 2013 http://www.theguardian.com/world/2013/oct/16/north-korean-cyber-warfare-south-korea.
24. Vatis, M. ‘The Council of Europe Convention on Cybercrime', Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, (Washington, DC, The National Academies Press, 2010), p. 218. http://www.nap.edu/catalog/12997.html.