Some Modest Steps Towards Improving US-China Relations in Cyberspace

Transcription

1 Some Modest Steps Towards Improving US-China Relations in Cyberspace Herb Lin CISAC/Hoover Stanford University (after 1/1/2015) December 5, /20/2014 1

2 SOURCE MATERIAL /20/2014 2

3 The importance of cybersecurity to both nations Economy Research and development Control of advanced manufacturing Control of critical infrastructure electric power telecommunications Banking and finance Education and training Civil government functions National security Defense Intelligence Law enforcement 12/20/2014 3

4 United States and China Competitors with different interests Protection of free speech Protection of intellectual property Supremacy of individual rights Partners with similar interests and common ground. 12/20/2014 4

5 Many differences U.S. private sector is very separate from U.S. government as compared to China: U.S. private sector is often successful in challenging government actions. U.S. private citizens do not always act in accordance with U.S. government wishes and desires. U.S. government does not collect intelligence to benefit U.S. private sector companies. U.S. government is often restrained by Congress and judiciary, even when acting for national security; Chinese government is more unitary. U.S. government makes public a great deal of information about its defense strategies (including cyber), although many things are classified; Chinese government is apparently reluctant to discuss specifics of its security in cyberspace. 12/20/2014 5

6 A comparison (much exaggerated and stereotyped) United States China Rights Political over economic Economic over political Societal stability Important Very, very important History Unimportant Important Knowledge and wisdom of other nations Not valued Valued Trust in government or other authorities No Yes 12/20/2014 6

7 Premises The U.S.-China relationship is the most important bilateral relationship in the twenty-first century The United States and China have common interests in cyberspace, even if the relationship may sometimes be tense or adversarial. Both nations should work to build common understandings regardless of the rhetoric of their leaders. Each side profoundly misunderstands the other. 12/20/2014 7

8 Three categories of problems Problems involving fundamental differences between U.S. and China. Political systems Concepts of basic rights (free speech, sovereignty) Problems that both countries face Protection of critical infrastructure Developing more secure code Problems whose solution requires cooperation Prevention of inadvertent escalation Confidence-building measures Dialog and understanding` 12/20/2014 8

9 Some possible common ground Common vocabulary Shared and accurate conceptual understanding Dissimilarity between nuclear and cyber Attribution Curbing criminal activity in cyberspace Preventing inadvertent escalation Communicating during crisis Differentiating exploitation from attack (especially during crisis) Cooperating against 3 rd party provocateur Declaring cyber-cease fire 12/20/2014 9

10 Common vocabulary 12/20/

11 Common vocabulary Cyberspace Cyber attack Cyber exploitation Deterrence Private sector Critical infrastructure Laws of war in cyberspace 12/20/

12 The meaning of deterrence Deterrence in cyberspace.. relies on two principal mechanisms: denying an adversary s objectives and, if necessary, imposing costs on an adversary for aggression. Section%20934%20Report_For%20webpage.pdf Cyberspace is a field where security can hardly be secured through deterrence. During the era of the nuclear arms race, mutual deterrence remained a top concern of rival countries. In the same way, the offenseand-defense game of cyber deterrence will only lead other countries to improve their offensive and defensive cyber skills. 12/20/

13 The meaning of laws of war in cyberspace established principles of international law do apply in cyberspace. Harold Koh, Legal Advisor U.S. Department of State, September 18,2012, Koh also noted that at least one country has questioned whether existing bodies of international law apply to the cutting edge issues presented by the Internet. More recently, China is alleged to have accepted that the laws of war apply in cyberspace, but no authoritative statement is available. Many uncertainties about how laws of war should be interpreted in any given instance. 12/20/

14 Conceptual understanding 12/20/

15 Chinese statements on cyber conflict If Internet security cannot be controlled, it s not an exaggeration to say the effects could be no less than a nuclear bomb, The Internet is open to everyone and attacks can be launched from anywhere. Fang Fenghui, chairman of the People s Liberation Army General Staff (Bloomberg News, Apr 22, Cyber arms are more horrible than nuclear weapons. Once cyber warfare is triggered there will never be peaceful days. People s Daliy, 9 May 2013, 12/20/

16 American statements on cyber conflict Cyber is sort of the modern day,.. the 21st century nuclear weapons equivalent. John Kerry, Secretary of State confirmation hearings, 14 January 2013, Senate Foreign Relations Confirmation hearing, Confirmation-Testimony.pdf The single biggest existential threat that s out there, I think, is cyber Cyber actually, more than theoretically, can attack our infrastructure, our financial systems Mike Mullen, former Chair of US Joint Chiefs of Staff, July 7, 2013, /DoD-Release-Public-Version-Cyber-Strategy 12/20/

17 The reality Cyber weapons are not like nuclear weapons, and cyber conflict is not like nuclear conflict. A single nuclear weapon exploding can kill 10 5 people instantly. Multiple nuclear weapons exploding could end modern civilization. Nuclear explosion a distinct threshold event that all can recognize. Only a few nations can wield nuclear weapons; private sector has none. Damage from a nuclear weapon explosion is long-lasting and rebuilding is very hard. Many of the same questions/issues arise in cyber as in nuclear (as well as in many other forms of conflict), BUT answers to these questions are mostly very different. 12/20/

18 On attribution 12/20/

19 Decomposing attribution Definition of responsible party can have many meanings from this example: The machine that is directly connected to the target (computer Y) The machine that launched or initiated the operation (A) The individual (George) sitting at the keyboard of the initiating machine. Other possible meanings: The geographical location of the machine that launched or initiated the operation (George is sitting at a keyboard located in Greece) The nation under whose jurisdiction the named individual falls (George is a citizen of Germany). The entity under whose auspices the individual acted (George works for the Japanese Ministry of Defense). 12/20/

20 Evidence for attribution Very hard/impossible if (and only if) Perpetrator s techniques are unprecedented Perpetrator s actions have left no clues Perpetrator has maintained perfect operational security (no one else knows) Perpetrator s motivations or demands are unknown Easier/possible if any of these conditions are violated and the likelihood of violation increases over time. Evidence builds up spinning a coin once vs. many times, comes up heads every time. Assigning responsibility is a political act, not a technological problem. 12/20/

21 Curbing criminal activity in cyberspace 12/20/

22 Curbing criminal activity in cyberspace Spam Fighting Spam to Build Trust, East-West Institute and Internet Society of China Child pornography 18 Child Porn Websites Shut Down: Result of Joint U.S.-China Cooperation a man [in the United States] was recently indicted on federal charges of running 18 Chinese-language child pornography websites in New York... The FBI investigated this case in the U.S. [and].. received what U.S. Attorney Preet Bharara of the Southern District of New York called extensive cooperation and assistance from the Chinese Ministry of Public Security. s_ /20/

23 Preventing inadvertent escalation 12/20/

24 Communicating during crisis Explicit communication Hotlines? Third party intermediaries? Signaling by actions risk of inadvertent escalation (mutual misunderstanding regarding thresholds). Communicating thresholds regarding activity in cyberspace is particularly problematic, in peacetime. Active threat neutralization and exploitation can be interpreted as attack How to define and communicate thresholds? How to keep tight control over lower-level personnel, who may do things with provocative results? Overzealous interpretation of standing rules of engagement Unintended damage Soldiers going beyond or acting in violation of orders Civilian acting without authorization 12/20/

25 Differentiating exploitation from attack (especially during crisis) Attacks and exploitations Look similar from the victim s perspective. Are entirely different from the perpetrator s perspective. Intermingling of civilian and military networks, nuclear and conventional military networks can lead to escalation. How, if at all, can perpetrator signal the victim that an operation is an attack vs an exploitation? How, if at all, can perpetrator signal that an exploitation is for national security purposes rather than for economic purposes? Consider both technical and non-technical means. 12/20/

26 Cooperating against 3 rd party provocateur Catalytic escalation a third party provokes two parties to engage in conflict. Inherent anonymity of cyber operations make false-flag operations easier to undertake in cyberspace. Misdirected retaliatory act intended to discourage further attacks is seen overtly offensive. What structures must be established in advance to investigate such actions? 12/20/

27 Declaring cyber-cease fire A clear understanding about what the terms of any agreement require each side to do. How to know where cyber weapons are deployed (needed for demining ) Capabilities for each party to verify compliance with the terms of a cease-fire. How much information would be shared by one nation with another? Why would either nation believe a claim by the other that it was complying with the terms of a cease-fire? Overt or cooperative intelligence not likely to be believed Covert cyber exploitation to gain intelligence likely to be misinterpreted if discovered Patriotic hackers continuing Differentiating background of ongoing normal hacking No national identifiers on attack traffic so cessation cannot be verified 12/20/

28 For more information Herb Lin Stanford University Center for International Security and Cooperation Encina Hall, C Serra Street Stanford, CA /20/