What to do about cyber attacks from state actors and their surrogates? For the State Department and DHS it would seem that the answer is now the courts and international negotiation. Hints of this came recently with the indictment of 5 Chinese military personnel for hacking. An utterly futile gesture as the Chinese are not about to extradite the 5 to stand trial, it bespeaks reliance on legal remedies that are, at best, only a matter of public shaming. Now, however, there is new evidence regarding the U.S. intent to negotiate on cyber with state actors like China, Russia, and Iran.
Along with recent Chinese hacking into the Office of Personnel Management comes a reports that Chinese hackers, almost certainly at the behest of their government, have begun targeting Middle East experts at major U.S. think tanks. This, in response to events in Iraq and, seemingly, an urgent Chinese need to know where U.S. policy regarding them might be going. Operation “Deep Panda,” as it is named by researchers, was announced by Dmitri Alperovitch, chief technology officer of cyber security company CrowdStrike. Alperovitch suggested that perhaps the Chinese were concerned about their oil infrastructure in Iraq. Whether the U.S. will intervene and protect Chinese interests may be the question of the hour for Beijing.
The above came on the eve of last week’s annual Strategic and Economic Dialog between Washington and Beijing. One of Secretary of State John Kerry’s goals is to secure the revival of the Sino-U.S. working group on cyber issues. The group was shut down by the Chinese after the military hackers’ indictments. The intent to negotiate on the matter is another indicator of administration intents. An unnamed official has said:
“We share an interest in a secure and predictable and orderly cyber environment. We see the bilateral U.S.-China working group as an important forum and vehicle for fulfilling our responsibilities and for making progress, so we certainly would like to see the earliest practical resumption of that forum.”
DHS released its 2014 Quadrennial Homeland Security Review on June 18. Despite administration carryings-on about the growth of the cyber threat in complexity and numbers of intrusions, the DHS strategic plan is written in general terms and effectively says nothing we haven’t heard before about “protecting critical infrastructure” from cyber depredations. However, at the very end of its cyber section, the plan strongly hints at the courts and negotiation approach in saying:
“Internationally, DHS will work with the Department of State and other partners to build global networks to share vital cybersecurity information and help enable international response to cyber incidents. DHS, with our partners, will also work to harmonize international laws to effectively combat transnational cybercrime.”
The most revealing—and troubling—indicator of administration cybersecurity intent comes from a 40-page draft State Department report dated July 2 and obtained by Inside Cybersecurity. The year-long study was done by State’s International Security Advisory Board, chaired by former Senator Gary Hart with the writing done under the supervision of retired Army General Montgomery Meigs.
As Inside Cybersecurity says, the study is an "effort to craft a "framework for international cyber stability" and endorses "ongoing work on international norms of behavior for cyberspace and urging industry involvement, though the document fails to break much new ground.” However, the opening paragraphs of the report reveal the administration’s intent to focus on negotiations, one might say in the spirit of 21st-century “international norming:”
“Since current international law is not yet well developed in the cyber realm, we propose that the United States articulate norms consistent with existing international law and U.S. values, while recognizing the uncertainties surrounding cyber activities. As the United States anticipates a response to all consequences of a cyber attack on itself, allies or vital interests, in order to limit unintended escalation the United States should set rigorous rules of engagement for military and civilian organizations for responding to significant attacks using cyber means. Cyber stability would enhance continuity of relations between nations in the face of attack or exploitation through cyber means.”
The implication here is that international norming on cybersecurity must necessarily precede U.S. policy and action. Notice the phrase “in order to limit unintended escalation” that precedes the admonition that the U.S. must set “rigorous rules of engagement.” The clear intent is to put international law on a par U.S. national security.
What is perhaps more important is by whom the study was commissioned—Under Secretary of State for Arms Control and International Security Rose Gottemoeller. Inside Security had access to Ms. Gottemoeller’s July 2013 memo launching the review. Her instructions are substantial and too lengthy to cite here. It’s clear from them that the goal is a “global, like-minded coalition, and regional approaches.” They stipulate that the study should “identify the principles, norms and commitments that should guide states collaborating to promote cyber stability.” Gottemoeller indicates the study should “identify cyber-stability approaches, including confidence-building measures, that would most likely persuade other states to cooperate; figure out how to deal with different cybersecurity priorities among states; find ways to encourage restraint and deter war in cyberspace; and identify ‘options for responding to malicious cyber acts.’"
While Under Secretary Gottemoeller’s instructions and the study produced comport with the Obama administration’s characteristic emphasis on the “internationalization” of U.S. foreign policy, the fact that Gottemoeller was tasked by Secretary Kerry with the undertaking is revealing and an ominous sign. Gottemoeller is in charge of the Arms Control bureau. Does this mean that the administration now considers managing cyber threats to be a matter of arms control?
Washingtonians in particular are well aware of the arms control mentality, which includes the belief that as long as we’re talking to our adversaries, we won’t be fighting with them. Arms control has been undertaken in the spirit that genuine arms reductions can be negotiated, even with resolute adversaries. The fact of the lack of transparency, noncompliance, and plain old cheating with regard to nukes has hardly discouraged those with the arms control mentality. So, does turning cybersecurity policy at State over to the arms control bureau in some sense mean the endless negotiation of meaningless and ineffectual bi- and multilateral cybersecurity pacts? One hopes not.
President Obama is, of course, committed to a WMD-free world. Inasmuch as cyberwarfare is clearly in the cards for the future (just ask the Chinese, who believe this earnestly enough to make it an element of military planning), does the president now regard cyber as a form of WMD? If so, is the cyberthreat for him like that of nuclear weapons (that is to say, a genie that can’t be put back in the bottle), but is surely controllable by agreements based on international values?
Or is the latest action by the State Department simply another example of the administration’s “all wind, no rain” approach to security and international involvements?
Ken Jensen is associate director of the American Center for Democracy for its Economic Warfare Institute.