Cyberspace: a global threat to peace
By Joseph R DeTrani
The following is the keynote address delivered by the author to the Defcon Conference in Las Vegas on August 2, 2013. The annual event is a two-day conference attended by more than 8,000 computer experts/hackers.
Cyber is a major national security threat, growing in scope, with direct impact to the economic, domestic, and defense interests of the nation. From hacktivists with a politically or socially motivated agenda, to criminals, to state and non-state actors who view cyber intrusions and attacks as means of economic advancement through theft of intellectual property, or espionage, or - in the most extreme case - as a potential weapon of mass destruction (WMD), the cyber domain now shares some of the same issues I have addressed in my years of working WMD.
The Non-Proliferation Treaty (NPT) and the International Atomic Energy Agency (IAEA) were established to address nuclear
issues, with significant international membership that, interestingly and unfortunately, doesn't include four of the nine nuclear weapons states as members of the NPT. The reality is that the number of nuclear weapons states could increase significantly if North Korea retains and enhances its nuclear weapons capabilities and Iran pulls the trigger and manufactures nuclear weapons, which they could do in a few months once the Supreme Leader, Ali Hosseini Khamenei, makes this decision - which some say is inevitable, despite the election of Hassan Rouhani as the new president.
These two events, in my view, will incite an international nuclear arms race, with countries like Japan and South Korea in East Asia and Saudi Arabia, Turkey and Egypt in the Middle East each working to obtain their own nuclear weapons capability. This is the nuclear threat the international community confronts today, in addition to the real threat of nuclear terrorism - non-state actors getting their hands on nuclear devices, which we know they want.
That's why these organizations, the NPT and the IAEA, are important; they monitor nuclear programs in Iran, a member of the NPT, with IAEA monitors/inspectors at Iran's nuclear sites in Natanz, Qom and Fodor. Unfortunately, North Korea pulled out of the NPT in 2003, thus there are no IAEA monitors/inspectors in North Korea to monitor nuclear developments - both plutonium and uranium enrichment programs - at Yongbyon and other undeclared sites in North Korea.
Indeed, membership in the NPT and compliance with IAEA safe guards helps to insure that a nuclear arms race does not materialize and that countries like North Korea dismantle nuclear weapons programs, in exchange for promised security assurances and international legitimacy; and that Iran renounces the pursuit of nuclear weapons and overtly pursues the peaceful use of nuclear energy, while also insuring that those other nuclear weapons states work hard to insure the security of their nuclear weapons and, eventually, join the US in its goal of a world with no nuclear weapons.
Unfortunately, there are no international organizations with the stature and effectiveness of the NPT and IAEA to oversee cyber security. Additionally, the IAEA promotes the peaceful use of nuclear energy, while trying to inhibit the use of nuclear for military purposes. A few United Nations organizations and some regional and national forums have discussed the future of Internet governance, but there has been minimal progress. Indeed, the very definition of the cyber domain remains blurred - but it is certainly not confined to the borders of a country.
As the Council on Foreign Relations' recent report from the Independent Task Force on cyber security noted, addressing the challenges of cyberspace is a global matter, and "the effects of domestic decisions spread far beyond national borders and will affect not only users, companies, nongovernmental organizations and policymakers in other countries, but also the health, stability, resilience and integrity of the global Internet".
International approaches to cyber security are critical, yet fraught with challenges of balancing free trade with a global regulatory framework and protection of intellectual property, promoting national security, including the security of critical infrastructure, and protecting privacy when national standards on this issue differ across the globe.
The US Executive Order on Improving Critical Infrastructure Cybersecurity is explicit in stating that "the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards."
In the global information age, computers and the Internet are integral to every aspect of society - education, health care, economic growth - no area is untouched. Robert Knake, writing for the Council of Foreign Relations states: "The tremendous gains in economic productivity over the past two decades are the direct result of the expanded use of the Internet for communications, collaboration, outsourcing, just-in-time inventory management, and the control of industrial processes. Internationally, the surge in global trade in both goods and services that has taken place could not have happened without the Internet as an enabling technology."
As with the many peaceful and beneficial uses of nuclear power, there obviously are many peaceful socio-economic uses of information technology. I believe it would be a mistake, however, to think that cyber presently can be used as a tool to counter real or potential nuclear threats, as some have argued. They cite Stuxnet and its reported effectiveness in disabling a certain number of centrifuges in Iran. If true, Iran probably absorbed the loss and moved forward with the fabrication of even more sophisticated centrifuges, beyond the reach of any so-called cyber capability.
As stated in the aforementioned US Executive Order, cyber's true harmful capacity, in addition to stealing intellectual property, is its potential to attack a country's critical infrastructure, ie its electricity grid, water supply, aviation safety systems, communications, financial system, etcetera. It is attacks of this nature that make cyber as potentially harmful as biological and nuclear attacks and therefore it must be approached with equal seriousness and focus on prevention.
Theoretically, any country or person or organization can conduct such attacks, assuming knowledge and capacity. That's not the case with nuclear, given the finite number of nuclear weapons states and the likelihood that if they used their nuclear weapons against another country, they in turn would be attacked - MAD (mutual assured destruction).
Having nuclear weapons is a real deterrent to a nuclear attack. This isn't necessarily the case with cyber. If an event occurred, one can assume who the cyber perpetrator was, but the forensic finger print is less apparent, thus making such an attack potentially more attractive to an aggressor. I cite the recent cyber attacks against South Korea, Saudi Arabia, Georgia and the United States. Their impact was devastating. This is not the case with nuclear. And for that very reason, more must be done to insure that cyber technology is not used for harmful purposes.
The challenge for the international community and its respective governments, in addition to using cyber more effectively for peaceful socio-economic purposes, is to help to create the firewalls necessary to prevent hostile cyber attacks from stealing a country's and company's intellectual property and from attacking a country's critical infrastructure, while also addressing the international challenge of agreement on policies that protect free trade, and international governance of the Internet.
This is the challenge and responsibility confronting the international community. Moreover, can cyber technology generically be used to prevent countries and non-state actors from establishing and sustaining illicit nuclear programs while each nation state doctrinally is studying the role of cyber in military conflict?
In my view, the cyber issue requires NPT- and IAEA-type international organizations that oversee, manage and help to control the use of cyber; organizations that not only monitor the use of cyber but encourage the peaceful use of cyber and permit and aid other countries to benefit from these technological advances. Indeed, the need for an international cyber-ware treaty, similar to the banning of chemical and biological warfare agents post World War I, after we realized the terrible damage that it can cause.
I believe the nuclear issue requires enhanced focus, insuring that North Korea gives up its nuclear weapons and Iran unequivocally renounces the pursuit of nuclear weapons. These developments, and the progress the US and Russia had with New Start, hopefully will put the international community on a road towards a world with no nuclear weapons. Robert Oppenheimer, the father of the atomic bomb, understood the need to move in this direction when he observed, at the first detonation of a nuclear device on July 16, 1945, citing Hindu scripture that: "I am become death, destroyer of the worlds." We have the opportunity and obligation to move in a different direction; not to destroy the world, but to enhance it.
Most of you are experts in the field of information technology. You understand the cyber domain. You understand its beneficial impact on our lives. You also understand the harm it can cause, if used improperly. Indeed, we look to you to develop better tools and help establish policies to fortify and protect our networks. We look to you to develop more secure systems, to discover terrorist plots, to uncover human trafficking, narco criminals, corruption and WMD programs. We look to you to inspire others to organize and enlist good hackers to help combat the sinister hackers who steal intellectual property, disrupt networks, interfere with communications, banking and critical infrastructure. Our private and public sectors need your help; need your expertise to serve society. Using technology wisely has always been the measure of an enlightened society.
The security of our nation needs you, the good hackers at DEFCON.
Joseph R DeTrani, President of the Intelligence and National Security Alliance, a nonprofit organization, was the Special Envoy for Six Party Talks with North Korea from 2003-2006. He was the ODNI Mission Manager from 2006-2010 and until January 2012, Director of the National Counterproliferation Center. The views and opinions expressed in this article are those of the author and are not representative of any US government department, agency or office.