[governance] Joseph Nye on Cybersecurity (against an open Internet)

Mon Sep 9 16:44:39 EDT 2013

The Mouse Click that Roared

http://www.project-syndicate.org/print/addressing-the-cyber-security-challenge-by-joseph-s--nye

09 September 2013

CAMBRIDGE – Until recently, cyber security has primarily interested
computer geeks and cloak-and-dagger types. The Internet’s creators, part of
a small, enclosed community, were very comfortable with an open system in
which security was not a primary concern. But, with some three billion or
so users on the Web nowadays, that very openness has become a serious
vulnerability; indeed, it is endangering the vast economic opportunities
that the Internet has opened for the world.

A “cyber attack” can take any number of forms, including simple probes,
defacement of Web sites, denial-of-service attacks, espionage, and
destruction of data. And the term “cyber war,” though best defined as any
hostile action in cyberspace that amplifies or is equivalent to major
physical violence, remains equally protean, reflecting definitions of “war”
that range from armed conflict to any concerted effort to solve a problem
(for example, “war on poverty”).

Cyber war and cyber espionage are largely associated with states, while
cyber crime and cyber terrorism are mostly associated with non-state
actors. The highest costs currently stem from espionage and crime; but,
over the next decade or so, cyber war and cyber terrorism may become
greater threats than they are today. Moreover, as alliances and tactics
evolve, the categories may increasingly overlap. Terrorists might buy
malware from criminals, and governments might find it useful to hide behind
both.

Some people argue that deterrence does not work in cyberspace, owing to the
difficulties of attribution. But that is facile: inadequate attribution
affects inter-state deterrence as well, yet it still operates. Even when
the source of an attack can be successfully disguised under a “false flag,”
governments may find themselves sufficiently enmeshed in symmetrically
interdependent relationships such that a major attack would be
counterproductive. China, for example, would lose from an attack that
severely damaged the American economy, and *vice versa*.

An unknown attacker may also be deterred by cyber-security measures. If
firewalls are strong, or redundancy and resilience allow quick recovery, or
the prospect of a self-enforcing response (“an electric fence”) seems
possible, an attack becomes less attractive.

While accurate attribution of the ultimate source of a cyber attack is
sometimes difficult, the determination does not have to be airtight. To the
extent that false flags are imperfect and rumors of the source of an attack
are widely deemed credible (though not legally probative), reputational
damage to an attacker’s soft power may contribute to deterrence.

Finally, a reputation for offensive capability and a declared policy that
keeps open the means of retaliation can help to reinforce deterrence. Of
course, non-state actors are harder to deter, so improved defenses such as
pre-emption and human intelligence become important in such cases. But,
among states, even nuclear deterrence was more complex than it first
looked, and that is doubly true of deterrence in the cyber domain.

Given its global nature, the Internet requires a degree of international
cooperation to be able to function. Some people call for the cyber
equivalent of formal arms-control treaties. But differences in cultural
norms and the difficulty of verification would make such treaties hard to
negotiate or implement. At the same time, it is important to pursue
international efforts to develop rules of the road that can limit conflict.
The most promising areas for international cooperation today most likely
concern problems posed for states by third parties such as criminals and
terrorists.

Russia and China have sought to establish a treaty establishing broad
international oversight of the Internet and “information security,” which
would prohibit deception and embedding malicious code or circuitry that
could be activated in the event of war. But the US has argued that
arms-control measures banning offensive capabilities could weaken defenses
against attacks and would be impossible to verify or enforce.

Likewise, in terms of political values, the US has resisted agreements that
could legitimize authoritarian governments’ censorship of the Internet –
for example, by the “great firewall of China.” Moreover, cultural
differences impede any broad agreements on regulating online content.

Nonetheless, it may be possible to identify behaviors like cyber crime that
are illegal in many domestic jurisdictions. Trying to limit all intrusions
would be impossible, but one could start with cyber crime and cyber
terrorism involving non-state parties. Here, major states would have an
interest in limiting damage by agreeing to cooperate on forensics and
controls.

The transnational cyber domain poses new questions about the meaning of
national security. Some of the most important responses must be national
and unilateral, focused on hygiene, redundancy, and resilience. It is
likely, however, that major governments will soon discover that the
insecurity created by non-state cyber actors will require closer
cooperation among governments.

-- 
Diego R. Canabarro
http://lattes.cnpq.br/4980585945314597

--
diego.canabarro [at] ufrgs.br
diego [at] pubpol.umass.edu
MSN: diegocanabarro [at] gmail.com
Skype: diegocanabarro
Cell # +55-51-9244-3425 (Brasil) / +1-413-362-0133 (USA)
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20130909/e1733959/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t