Cyber Security
Negotiating meanings for security in the
cyberspace
Roxana Radu
Abstract
Purpose – This paper aims to review the current debates regarding the role of the state in securing the
cyberspace, with a particular focus on the negotiations taking place in the UN General Assembly
(UNGA).
Design/methodology/approach – This paper reflects on the evolution of the UNGA discourse on the
role of the state in protecting the cyberspace, based on the textual analysis of all UNGA resolutions
pertaining to the politico-military aspects of internet security.
Findings – The paper finds that the lack of an officially adopted definition for internet security in the
UNGA discussions led to agreement solely on informative, best practice sharing or voluntary activities
addressing other states, rather than providing an integrated vision for protecting the cyberspace.
Research limitations/implications – The analysis is limited to the negotiations taking place in one
institutional venue, namely the UNGA between 1998 and 2011, complemented by three resolutions
issued by the ITU in 2010; activities conducted in other institutional venues might influence or determine
the overall discourse noted in the resolutions under investigation here.
Originality/value – This represents the most comprehensive account of the discourse on the role of the
state in securing the cyberspace as presented in the UNGA and ITU resolutions and its evolution over
time.
Keywords Internet, Cybersecurity, General Assembly, ITU, States, United Nations
Paper type Research paper
Introduction
The security of the cyberspace has become one of the major global policy areas of the
twenty-first century (Deibert and Rohozinski, 2010, p. 29), and an arena for intense political
contestation (Singh, 2011, p. 232; Deibert, 2012)[1]. The dangers posed by the virtual
environment are disputed, with journalists and researchers highlighting either the menace of
a ‘‘digital Pearl Harbor’’ (Sterner, 1996; Bendrath, 2003) or the ‘‘unsubstantiated nature of
cyber threats’’ (Dunn Cavelty and Rolofs, 2010). The debate over ensuring protection online
has also underlined that the current infrastructure of the internet does not contain embedded
security guarantees, as it was primarily designed to facilitate access and open sharing of
information (Talbot, 2006; Markoff, 2012).
While a transnational comprehensive approach in this field has yet to emerge, the increasing
attention paid to cyber security in policy work represents a cumulative process and sets the
foundation for future action (Harknett and Stever, 2011). Such work also faces a series of
(new) cross-sector regulatory challenges, due to the size and magnitude of the protection
endeavor (Chertoff, 2008). Along these lines, this contribution investigates the discourse on
the role on the state in one of the most active institutional venues within the UN, the General
Assembly. In this ambit, the discussions started in 1998 with a draft resolution proposed by
Russia on ‘‘information security’’ with yearly iterations, followed by the 2002 ‘‘culture of cyber
security’’ resolution sponsored by the USA; additionally, following the second phase of the
PAGE 32 j info j VOL. 15 NO. 6 2013, pp. 32-41, Q Emerald Group Publishing Limited, ISSN 1463-6697 DOI 10.1108/info-04-2013-0018
Roxana Radu is a PhD
candidate at the
International
Relations/Political Science
Graduate Institute of
International and
Development Studies,
Geneva, Switzerland.
The author is grateful for
inspiring discussions and
valuable feedback received at
the 7th Annual GigaNet
Symposium (Baku, November
5, 2012).
Received 20 April 2013
Revised 2 July 2013
Accepted 11 July 2013
World Summit on the Information Society (WSIS), the International Telecommunications
Union (ITU) was entrusted to work towards Action Line C5 for building confidence and
security in the use of ICTs.
This article aims to unveil how security in the cyberspace is defined in the UN system and
what implications that has for shaping the entitlement to participation in its governance for
different types of actors. Given the current stalemate in the UN negotiations concerning the
politico-military aspects of cyber security, the definition of issues to be covered and of the
agents that could or should get involved becomes crucial for understanding the broader
roles assigned in the regulation of one of the newest issue domains. The investigations
presented in this contribution focus on decision-making bodies for the politico-military
aspects of security in the cyberspace, leaving aside cyber-crime. While in practice it is
sometimes difficult to disentangle the two types of activities (as in the case of cyber
espionage), cyber-crimes are perceived to be a non-state sponsored action deemed illegal
at the national or international level (Hathaway et al., 2012).
Here, the underlying premise is that the definition of security concerns, as well as of the roles
assigned to different political bodies in such global deliberation processes may serve for
setting precedents and guiding action even in non-binding decision exercises. This article
offers the first systematic analysis of the implications of the wording used in UNGA and ITU
resolutions over time, based on the textual analysis of relevant documents. It starts by
reviewing the internet security debates around the role of states, followed by a discussion of
the activities pertaining to this new issue domain within the UN. The methodological aspects
are addressed in the third section, detailing the textual analysis procedure. The subsequent
part investigates the implications of the way in which security in the cyberspace is defined
throughout time in the UNGA and ITU resolutions from 1998 to 2011, pointing out the lack of
shared definitions and the way in which stakeholders are defined. The final section
concludes by assessing the internet security developments in the UNGA and ITU and their
implications.
Evolution of internet security concerns
Internet security poses a series of tensions at the intersection between national security,
human security, and private security (Buckland et al., 2010), juxtaposing not only state and
private interests in preserving a safe environment, but also concerns over regulation that
might restrict privacy and freedom of expression at the individual level. Computer
security-related concerns attracted public attention in the early 1980s, when the first cyber
viruses were developed (Nye, 2010, p. 3); by the mid-1990s, these concerns become much
more widespread with the emergence of the so-called ‘‘recreational hackers’’ (Sommer and
Brown, 2011). Yet, cyber-security discussions have only been placed on global agendas in
the post-Cold War context (Hansen and Nissenbaum, 2009), taking prominence in the late
1990s.
The official acknowledgement of cyber-security as a ‘‘high-priority’’ (ITU Resolution 45 of
2010) points to the growing importance of creating multilateral instruments for tackling
potential cyber-risks. The creation of regional and global institutional venues for internet
security negotiations reflects the understanding of the transnational nature of online security.
Cyber-threats can target the availability of data and information, its integrity and/or its
confidentiality; the purpose of such actions can range from probing the limits of
cyber-defense in other countries to signaling power positions and finally to inflicting
damage. So far, responses have come primarily under the form of ad hoc security
governance networks, or public-private cooperation (Mueller et al., 2013).
Currently, all major formal and informal international organizations host meetings to discuss
cooperation regarding security in the cyberspace, including specialized working groups
within regional bodies such as Asia-Pacific Economic Cooperation (APEC), the European
Union (EU), the Group of 8 (G8), the Organization of American States (OAS), the
Organization for Economic Cooperation and Development (OECD), the Association of
Southeastern Asian Nations (ASEAN), and the Shanghai Cooperation Organization (SCO).
VOL. 15 NO. 6 2013 j infoj PAGE 33
While no new entity has been empowered to regulate internet security at the international
level, different technical aspects likely to have an impact on it are tackled outside of
inter-governmental organizations, in fora such as IETF, W3C, ICANN, ISO, etc. At the national
level, a series of reforms have prioritized cyber-security, including the creation of new
agencies or the re-tasking of existing ones to work on cyber-defense.
Originally, the threats posed to internet security were solved informally, without making
appeal to other institutions; this was, in part, due to the localized nature of risks, which
remained confined and relatively low in the early years of the internet. This led to highly
specialized expertise built within firms and rarely shared across businesses, which partially
explains the lack of intra-sectoral coordination that prevails today. However, while the private
sector handles the daily operation of networks and owns them, it lacks the authority to
pursue perpetrators legally. To date, the most important legal source for our international law
system remains the UN Charter, designed as a sovereign-centric system.
Security has been the key pillar for the legitimacy of nation-states, and new technologies
have historically been linked to national interest soon after their invention. For the internet,
governments exert authority and control over both physical infrastructure providing access
to the internet and the online content. While the rationales for such intervention differ, the
practice of restricting access to content in the name of public interest is just as common in
liberal democracies as it is in authoritarian regimes (Deibert, 2012). Yet, governments
around the world come under considerable pressure nowadays from non-state actors, better
equipped to challenge their position (Nye, 2011). As a new domain of power, the
cyberspace is a realm of contestation for states, private actors and civil society groups,
which may work together or against each other, in a global space so far lacking built-in
mechanisms for accountability (Radu, 2012).
For analytical purposes, Deibert and Rohozinski (2010) introduce the distinction between
‘‘risks to cyberspace’’ (to critical infrastructure and communication networks) and ‘‘risks
through cyberspace’’, generated or articulated using ICT, but not purposefully directed
against the physical structures. As they show, there are contradictory movements in the
actions taken by government to address these problems: on the one hand, measures are
taken to achieve greater cooperation at the international level for the protection of critical
infrastructure, underlying the preservation of a free and open internet; on the other hand,
increasing divergence can be noticed in the national efforts against risks through
cyberspace, as governments tend to impose – within their national boundaries – measures
that limit the potential of global connectivity by filtering, blocking, surveilling content, etc. In
spite of the different forms taken, cyber concerns have been securitized at the highest level
(Hansen and Nissenbaum, 2009).
The lack of shared definitions across the world has led to a relatively slow negotiation
process for security in the cyberspace, in which interpretation differentials play a major role.
The subject remains relatively difficult to study, primarily due to its complexity and volatility
(Dunn Cavelty and Mauer, 2007, p. 151). So far, limited agreement has been reached for
advancing discussion on adapting existent international legal commitments or establishing
new ones to tackle cyber security (Hathaway et al., 2012). Additional impediments come
from the overlap with private property rights, since many resources necessary for the
cyberspace are not in the public domain. For the purpose of this contribution, I focus
exclusively on discussions about security in the cyberspace at the level of global
decision-making public bodies (regarding legislation, consensus building, norms, etc.) in
UNGA, as distinct from implementation or technical bodies (such as Computer Emergency
Response Teams, private firms, etc.).
Methodological delineations
Previous efforts to decipher the power dynamics involved in the drafting of UNGA and ITU
resolutions on security in the cyberspace have been scarce and unsystematic. They have
either scrutinized the militarization of cyberspace (Yannakogeorgos, 2009) or the extent to
which the UN plays a key role in introducing and shaping norms for the cyberspace (Maurer,
PAGE 34j infoj VOL. 15 NO. 6 2013
2011). The present analysis relies on the textual analysis of UN documents, a method
extensively used in dealing with UN proceedings. It included, among others, an analysis of
the emotive and instructive wording in the UN Security Council resolutions with regards to
equal treatment of member states (Gruenberg, 2009) or the role of ‘‘key word strategies’’ as
constitutive of the WSIS as a process and as a policy practice (Franklin, 2007). Allowing a
detailed investigation of changes over time, textual analysis can shed light on definitional
issues negotiated in the UN ambit and assigned roles for Internet security. in line with
George’s (1994) assertion, this will be used to ‘‘illustrate how [. . .] textual and social
processes are intrinsically connected, and to describe, in specific contexts, the implication
of this connection for the way we think and act in the contemporary world’’ (p. 191).
The UN has contributed to norm creation and norm diffusion in many issue domains, such as
the human rights regime and sustainable development (Karns and Mingst, 2004). This was
primarily done via resolutions, whose number exceeded 1,100 in the last two decades
(Gruenberg, 2009). Internet security has been addressed at different levels within the UN,
including the UN Institute for Disarmament Research (UNIDIR), the UN Global Alliance for
ICT and Development (UN-GAID) and the Internet Governance Forum (IGF). However, the
most consistent work on this was done in the framework of the UNGA and the ITU. Apart from
mentioning the related use of the internet for terrorist purposes, none of the Security
Council’s resolutions have so far referred to internet security. While UNGA resolutions remain
largely non-binding, they are the only ones voted on by all members of the UN. The ITU is
responsible for carrying out the WSIS Action Plan C5 on ‘‘Building confidence and security in
the use of ICTs’’; it comprises all 193 UN member states and over 700 private companies
and organizations.
For this study, I analyzed all UNGA resolutions on internet security issued between
December 1998 and November 2011, excluding those on cyber-crime. Additionally, I
included the 2010 report of the Group of Governmental Experts (GGE) and three ITU
resolutions, as well as the latest draft resolution submitted to the UNGA Secretary General on
‘‘International code of conduct for information society’’ in 2011[2]. In the focused coding, I
recorded two aspects:
1. wording used with reference to security in cyberspace; and
2. implication(s) for the participants, i.e. who they are, and what roles they are assigned.
The UNGA resolutions follow a (semi-)standardized format, consisting, in the first part, of
broader motivations for issuing the resolution, and in the second part of recommendations
for member states. Structured along these lines, the coding process entailed an analysis of
what has been included and excluded at different points in time in regard with the primary
objects (the issue discussed) and subjects (the actors) of the resolutions.
Cyber security on the UNGA agenda – in search of a definition
The UNGA initiatives in the area of internet security have remained rather loose and did not
succeed in fostering agreement over common definitions or middle ground for consistent
international cooperation. Up to 2011, the UNGA discussed three resolutions regarding
security in the cyberspace, yet none of them contained a definition of what is meant by
security in the cyberspace. The first resolution in this regard — i.e. ‘‘Developments in the
field of information and telecommunications in the context of international security’’ (53/70)
—was introduced by the Russian Federation in the First Committee of the GA in 1998 and
different versions of it were discussed every year thereafter, with the most recent iteration in
November 2011. In the Second Committee of the GA, the resolution on ‘‘Creation of a global
culture of cyber security and the protection of critical information infrastructures’’ (57/239)
was introduced by the USA in 2002 and adopted in 2005, calling for ‘‘prioritizing cyber
security planning and management’’ and for the adoption of nine elements for creating a
global culture of cyber security. The USA also sponsored the introduction of a follow-up
resolution: ‘‘Creation of a global culture of cyber security and taking stock of national efforts
to protect critical informational infrastructures’’ (64/211), adopted in 2010.
VOL. 15 NO. 6 2013 j infoj PAGE 35
The slightly modified text of the 1998 resolution was adopted without a vote every year until
2005, when a formal vote was cast at the 60th session of the UNGA. The voting results
displayed a situation which came very close to consensus, with 177 states in favor, no
abstentions, and one vote against (the USA). The form of the resolution voted on contained
an important change vis-à-vis its iterations up to that point. What has previously been an
invitation addressed to member states to inform the Secretary General of their views and
assessments on ‘‘the definition of basic notions related to information security [. . .] and
information resources’’ was changed to ‘‘efforts taken at the national level to strengthen
information security and promote international cooperation in this field’’, thus lowering the
incentives to agree on basic terms and pushing back the discussion to a rather vague
common denominator.
The support for this resolution varied over time. While Russia was its only sponsor up to 2005,
in 2006 it gained 13 additional sponsors in Armenia, Belarus, Chile, China, Ethiopia,
Kazakhstan, Kyrgyzstan, Madagascar, Mali, Myanmar, Tajikistan, Turkmenistan and
Uzbekistan; in 2007, Turkmenistan, Cuba, Japan and Nicaragua were its co-sponsors,
together with the Russian Federation; in 2008, there were 24 sponsors and three new
co-sponsors in Brazil, Vietnam and Fiji. Notably, in 2010, the resolution had 36 sponsors,
including – for the first time – the USA, Canada, Germany and Australia. In 2011, some of
the countries withdrew their support and the sponsorship went down to 32. Notably, some of
the participant countries eagerly backing the resolution – such as Russia, China,
Kazakhstan, Kyrgyzstan, Tajikistan and Uzbekistan – have also been pursuing
cyber-cooperation in other institutional venues. In the framework of the Shanghai
Cooperation Organization (SCO), there is an agreement on international information
security dating back to 2009. This agreement includes a glossary of terms used, and sets
the common ground for coordinating positions in other international fora.
The second resolution, proposed by the USA in 2002 and adopted without a vote by the
General Assembly in January 2005, aimed at creating a ‘‘culture of cyber security’’ and
proposed a number of baseline principles. Its sponsorship initially included Australia,
Japan, and Norway, but later revisions of the draft text added other 36 supportive member
states. The version of the resolution introduced in 2003 added the protection of critical
information infrastructure (CII) to its text, and an invitation to member states to develop
strategies to protect CII. The most important modification in this resolution concerns the
replacement of ‘‘principles’’ with ‘‘elements’’ for a global culture of cyber-security, thus
diminishing its strength. The nine elements it puts forward are:
1. awareness;
2. responsibility;
3. response;
4. ethics;
5. democracy;
6. risk assessment;
7. security design and implementation;
8. security management; and
9. reassessment.
Of particular interest is the framing of two of these elements, namely ethics and democracy.
The first upholds that ‘‘participants need to respect the legitimate interests of others and
recognize that their action or inaction may harm others’’, while the later asserts that ‘‘security
should be implemented in a manner consistent with the values recognized by democratic
societies, including the freedom to exchange thoughts and ideas, the free flow of
information, the confidentiality of information and communication, the appropriate protection
of personal information, openness and transparency’’.
PAGE 36j infoj VOL. 15 NO. 6 2013
These two types of resolutions reflect a deeply rooted distinction between the way in which
the USA and Russia have conceived internet security, and the fundamental disagreement
over a common definition; on the one hand, the USA, Canada and the EU have favored open
communication principles, whereas Russia has more strongly asserted sovereignty and
territorial controls, pushing for a greater role of the UN in cyber-governance (Deibert, 2012).
This tendency is also visible in a new proposal made to the UN Secretary General in
September 2011 for the introduction of an ‘‘International code of conduct for information
security’’ (66/359) by the representatives of Russia, China, Tajikistan and Uzbekistan. The
most controversial part of the document states that the signatories of the code:
. . . endeavor [. . .] to prevent other States from using their resources, critical infrastructures, core
technologies and other advantages to undermine the right of the countries, which accepted this
Code of Conduct, to independent control of information and communications technologies or to
threaten the political, economic and social security of other countries.
While this resembles a reassessment of the non-interference principle in the cyberspace, by
redefining the responsibilities of the international community and of individual member
states, it also draws a clear distinction between the positions of different influential regional
blocks.
In contrast, a recent US shift in national policy emphasized the need for global norms and
policies for internet security, with the 2009 Cyberspace Policy Review concluding that
‘‘international norms are critical to establishing a secure and thriving digital infrastructure’’
(p. IV) and that different national and regional laws and practices represent an obstacle in
securing the cyberspace. A similar acknowledgement of the nature of the global internet is
provided in the Department of Defense Strategy for Operating in Cyberspace (July 2011),
which mentions that ‘‘cyberspace is a network of networks that includes thousands of
internet service providers across the globe; no single state or organization can maintain
effective cyber defenses on its own’’. Consequently, the positions of the USA and Russia –
the two most active states in the UNGA on internet security — seem difficult to reconcile,
both for agreeing on a common approach and for adopting an official definition of what is to
be understood by security in the cyberspace.
The UNGA discussions have so far been conducted in the absence of any definition for
internet security, with the exception of a definition put forward by the ITU, which may serve to
guide action also in other institutional venues, given the overlapping state membership. The
‘‘Overview of cybersecurity’’, which was approved on 18 April 2008 by ITU-T Study Group
17, contains a taxonomy of the security threats from an organization point-of-view.
Accordingly, cyber-security was understood as ‘‘the collection of tools, policies, security
concepts, security safeguards, guidelines, risk management approaches, actions, training,
best practices, assurance and technologies that can be used to protect the cyber
environment and organization and user’s assets’’[3], and this was officially acknowledged
for further incorporation in activities pertaining to building confidence and security in the use
of ICTs in the Resolution 181 of 2010. The same document recognizes that ‘‘the definition of
cyber security may need to be modified from time to time to reflect changes in policy’’, thus
emphasizing a dynamic stance taken by the UN agency.
In their analysis of the stalemate in forming a global governance regime for the internet,
Mueller et al. (2007) identify the absence of an agreed-upon set of basic principles and
norms for internet governance as the main obstacle in proceeding further. This also
concerns the lack of common definitions that could represent the foundations of discussions
for the establishment of a ‘‘framework convention’’ similar to the climate change convention
under the UN umbrella. In the case of the UNGA, this also appears to be the case for the past
decade of internet security negotiations, in spite of the reaffirmation of urgency of actions
needed.
In the different UNGA resolutions up to 2011, the preferred wording for the vulnerabilities and
dangers posed by the advent of ICTs is ‘‘threats’’. Notably, resolution 64/211, adopted in
2010, emphasized the ‘‘increasingly transnational nature’’ of cyber-threats. This contrasts
sharply with the much more frequent employment of ‘‘risks’’ rather than ‘‘threats’’ in the
VOL. 15 NO. 6 2013 j infoj PAGE 37
wording of ITU resolutions. The difference between the two implies a differentiated course of
action, as threats as understood as direct and imminent, whereas risks are indirect, more
distant, unintended (Rasmussen, 2001) and, as such, are prone to the elaboration of
long-term risk management strategies rather than to the implementation of security
measures under extraordinary conditions.
The most comprehensive reference to this type of insecurity is to be found in the ITU 181
Resolution cautiously mentioning the ‘‘potential emergence of new and unforeseeable risks
and vulnerabilities in relation to confidence and security in the use of ICTs’’. The focus on
risks in the ITU framework can be inscribed in the redefinition of the role of this specialized
body of the UN after the WSIS process. In this direction, it is worth noting a subsequent
modification occurring in 2010 in the wording of the UNGA resolution 53/70: the phrase
‘‘possible measures to limit the threats emerging in this field’’ is changed to ‘‘possible
strategies to address the threats emerging in this field’’. This reveals two underlying
considerations: first, that it is not enough to limit threats, and a comprehensive approach
might be needed; second, that strategies would be preferred to measures, which tend to be
more punctual and require less long-term planning.
Entitlement to participation
Over time, there has been a gradual recognition that states are not the only participants in
securing the cyberspace. In 2000, the ‘‘need for cooperation between states and private
industry to combat misuse of ICTs’’ was acknowledged in resolution 55/63, but this was not
included in the recommendations made to member states at that point. Two years later,
participants in the cyberspace are explicitly identified and mentioned in the following order:
‘‘Governments, businesses, other organizations and individual users who develop, own,
provide, manage, service and use information systems and networks (‘participants’)’’ in
UNGA resolution 57/239. Once identified, the participants are also attributed responsibility;
according to the same 2002 resolution, the participants ‘‘must assume responsibility for and
take steps to enhance the security of these information technologies, in a manner
appropriate to their roles’’. At the same time, each state is empowered to ‘‘determine its own
critical information infrastructure’’ and the resolutions are intended to address first and
foremost other states, rather than contributing to creating global norms reflecting a global
vision for preventing and combating cyber-risks.
In UNGA resolution 58/199 of 2003, the term ‘‘stakeholders’’ is used for the first time,
implying more leverage for inclusion in the decision-making processes. ITU Resolution 174
from 2010 extends this further, to ‘‘Member States and relevant ICT stakeholders, including
geospatial and information service providers’’. Resolution 64/211 of 2010 acknowledges the
mandate of the IGF, ‘‘reiterating that all Governments should have an equal role and
responsibility for international Internet governance’’. The 2010 report of the GGE brings up
‘‘cooperation between states, and between states, the private sector and civil society’’,
making a first explicit reference to civil society as an equal player in the global governance of
security in the cyber-environment. The report also talks about ‘‘threat actors’’, pointing out
that ‘‘of increased concern are individual, groups or organizations, including criminal
organizations, that engage as proxies in disruptive online activities on behalf of others’’. In
that sense, the security concerns are distanced from the logic of linear threats and
vulnerabilities originating by default outside the state, as it was the case in the traditional
understanding of security (Buzan, 1991).
The report takes a state-centric perspective, and its recommendations are focused primarily
on national views regarding ICT security, national legislation and best practices exchange.
The report also invites member states to ‘‘discuss norms pertaining to State use of
information and communication technologies, to reduce collective risk and protect critical
national and international infrastructures’’ as well as ‘‘finding possibilities to elaborate
common terms and definitions relevant to United National General Assembly resolution
64/25’’. In the foreword to the 2010 GGE report, the UN Secretary General hints at an
important role being played by intergovernmental fora such as the UNGA in ‘‘making
information technology and telecommunications more secure, both nationally and
PAGE 38j infoj VOL. 15 NO. 6 2013
internationally’’. The GGE comprises representatives of 15 countries, selected based on
geographical considerations: the USA, Russia, China, the UK, France, Belarus, Brazil,
Estonia, India, Israel, Italy, Qatar, the Republic of Korea and South Africa. The group was
convened with the mandate ‘‘to continue to study existing and potential threats in the sphere
of information security and possible cooperative measures to address them, as well as
concepts aimed at strengthening the security of global information and telecommunications
systems’’ and will hold its last meeting in June 2013 in New York.
Conclusions
Over the years, internet security has evolved from a local concern to a national security
interest and more recently, a foreign policy priority. By now, all important regional and global
organizations have held meetings to discuss and propose actions towards enhancing the
protection of the cyberspace, in recognition of the transnational nature of internet-related
threats. More recently, cyber-attacks like Stuxnet, Duqu or Flame have made the headlines
as ‘‘use of force instances’’ based on weaponized computer codes (Farwell and Rohozinski,
2012, p. 107), thus spotlighting the need for multilateral actions in this field. While the
literature on the topic is considerably skewed towards assessing the role of the state, the
way in which cyber-protection is handled reflects much more a networked governance
approach, both in terms of regular operations and in times of crisis (Mueller et al., 2013).
Moreover, the concept of sovereignty and domestic approaches have come into question in
light of cloud computing developments.
The present analysis has unveiled the embryonic state for international cyber security
cooperation within two institutional fora, the UNGA and ITU. In the UNGA agenda, internet
security has been primarily approached from a national perspective, rather than as an
international issue to build consensus around. This analysis has revealed that, in the initial
phase, only limited efforts have been made to provide a shared understanding of what
security in the cyberspace means, and who is entitled to participate in its governance.
The stalemate in current negotiations has stemmed from different visions regarding internet
security, in particular between two of the most active states on internet security in the UNGA,
the USA and Russia. As a new issue domain, cyber security is still an arena of contestation,
in which power is asserted not only by states, but also by specialized bodies such as the
ITU, which is increasingly involved in securing the cyberspace. An officially adopted
definition was not agreed on in the UNGA due to differentials in country positioning, and the
strength of the resolutions adopted has been decreased to the minimum common
denominator, as seen in the shift from discussing definitional matters to informing about
country-level measures for cyber defense. A broad definition only came from the ITU in 2008,
recognizing the need for revision at a later point in accordance with changes in policy.
The common actions agreed on between 1998 and 2011 in the UNGA did not involve any
strong commitments from member states, but rather relied on information and best-practice
sharing, or voluntary self-assessment tools. In the discussions, the focus shifted from
defining key terms and concepts and setting the foundations for international negotiations to
reasserting sovereignty and territoriality. A strong role for governments is emphasized in
resolutions, as they address primarily other states; more recently, there is an
acknowledgement that nation-states are not the only stakeholders in this issue domain. At
the same time, the discourse on the role of states in securing the cyberspace has only
gradually evolved to recognize and to assign responsibilities to other actors, such as the
private sector, international organizations or civil society. The parallel processes of building
confidence and consensus have taken divergent paths, being focused on reasserting
sovereignty at the detriment of elaborating an integrated vision for global negotiation
processes.
Notes
1. For this study, ‘‘security in the cyberspace’’ will be used to refer to both information security and
cyber-security (used with differentiated meaning in the UN resolutions).
VOL. 15 NO. 6 2013 j infoj PAGE 39
2. So far, the UNGA has requested the establishment of a Group of Governmental Experts (GGE) in
three instances: in 2004, with the requirement of delivering a report in 2005 (not publicly available);
in 2009, with the request of submitting a report in 2010 following three expert meetings (taken into
account in the present study); and in 2012, pursuant to Resolution 65/41 from December 8, 2010.
3. The complete definition reads as follows: ‘‘Cybersecurity is the collection of tools, policies, security
concepts, security safeguards, guidelines, risk management approaches, actions, training, best
practices, assurance and technologies that can be used to protect the cyber environment and
organization and user’s assets. Organization and user’s assets include connected computing
devices, personnel, infrastructure, applications, services, telecommunications systems, and the
totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to
ensure the attainment and maintenance of the security properties of the organization and user’s
assets against relevant security risks in the cyber environment. The general security objectives
comprise the following: availability; integrity, which may include authenticity and non-repudiation;
confidentiality’’ (ITU-T X.1205, 2007, p. 2).
References
Bendrath, R. (2003), ‘‘The America cyber-angst and the real world – any link?’’, in Latham, R. (Ed.),
Bombs and Bandwidth: The Emerging Relationship Between Information Technology and Security,
The New Press, New York, NY.
Buckland, B., Schreier, F. and Winkler, T. (2010), ‘‘Democratic governance challenges of cybersecurity’’,
DCAF Horizon 2015 Working Paper No. 1, available at: www.dcaf.ch/Publications/Democratic-
Governance-Challenges-of-Cyber-Security
Buzan, B. (1991), People, States, and Fear: An Agenda for International Security in the Post-Cold War
Era, 2nd ed., Harvester Wheatsheaf, London.
Chertoff, M. (2008), ‘‘The cybersecurity challenge’’, Regulation & Governance, Vol. 2 No. 4, pp. 480-484.
Deibert, R. (2012), ‘‘Distributed security as cyber strategy: outlining a comprehensive approach for
Canada in the cyberspace’’, research paper, Canadian Defense & Foreign Affairs Institute, Calgary.
Deibert, R. and Rohozinski, R. (2010), ‘‘Risking security: policies and paradoxes of cyberspace
security’’, International Political Sociology, Vol. 4 No. 1, pp. 15-32.
Dunn Cavelty, M. and Mauer, V. (2007), ‘‘The role of the state in securing the information age –
challenges and prospects’’, in Dunn Cavelty, M., Mauer, V. and Krishna-Hensel, S.F. (Eds), Power and
Security in the Information Age: Investigating the Role of the State in Cyberspace, Ashgate, Burlington,
VT.
Dunn Cavelty, M. and Rolofs, O. (2010), ‘‘From cyberwar to cybersecurity: proportionality of fear and
countermeasures’’, paper presented at the Munich Security Conference, February 5, available at: www.
securityconference.de/Program.638 þ M5183285721d.0.html (accessed June 20, 2012).
Farwell, J. and Rohozinski, R. (2012), ‘‘The new reality of cyber war’’, Survival: Global Politics and
Strategy, Vol. 54 No. 4, pp. 107-120.
Franklin, M.I. (2007), ‘‘NGOs and the ‘information society’: grassroots advocacy at the UN – a cautionary
tale’’, Review of Policy Research, Vol. 24 No. 4, pp. 309-330.
George, J. (1994), Discourses of Global Politics: A Critical (Re)Introduction to International Relations,
Lynne Rienner Publishers, Boulder, CO.
Gruenberg, J.S. (2009), ‘‘An analysis of the United Nations Security Council Resolutions: are all
countries treated equally?’’, Case Western Reserve Journal of International Law, Vol. 41 Nos 2/3,
pp. 469-511.
Hansen, L. and Nissenbaum, H. (2009), ‘‘Digital disaster, cyber security, and the Copenhagen School’’,
International Studies Quarterly, Vol. 53, pp. 1155-1175.
Harknett, R.J. and Stever, J.A. (2011), ‘‘The new policy world of cybersecurity’’, Public Administration
Review, Vol. 71 No. 3, pp. 455-460.
Hathaway, O., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W. and Spiegel, J. (2012), ‘‘The law of
cyber-attack’’, California Law Review, Vol. 100 No. 4, pp. 817-886.
PAGE 40j infoj VOL. 15 NO. 6 2013
Karns, M. and Mingst, K. (2004), International Organizations: The Politics and Processes of Global
Governance, Lynne Rienner Publishers, Boulder, CO.
Markoff, J. (2012), ‘‘Killing the computer to save it’’, New York Times, October, Vol. 30, p. D1.
Maurer, T. (2011), ‘‘Cyber norm emergence at the United Nations – an analysis of the activities at the UN
regarding cyber-security’’, Discussion Paper 2011, Belfer Center for Science and International Affairs,
John F. Kennedy School of Government, Harvard University, Cambridge, MA.
Mueller, M., Mathiason, J. and Klein, H. (2007), ‘‘The internet and global governance: principles and
norms for a new regime’’, Global Governance, Vol. 13, pp. 237-254.
Mueller, M., Schmidt, A. and Kuerbis, B. (2013), ‘‘Internet security and networked governance in
international relations’’, International Studies Review, Vol. 15 No. 1, pp. 86-104.
Nye, J. (2010), ‘‘Cyber power’’, discussion paper, Belfer Center for Science and International Affairs,
John F. Kennedy School of Government, Harvard University, Cambridge, MA.
Nye, J. (2011), The Future of Power, Public Affairs, New York, NY.
Radu, R. (2012), ‘‘The monopoly of violence in the cyberspace: challenges of cybersecurity’’, in Fels, E.,
Kremer, J.-F. and Kronenberg, K. (Eds), Power in the 21st Century: International Security and
International Political Economy in a Changing World, Springer, New York, NY, pp. 137-150.
Rasmussen, M.V. (2001), ‘‘Reflexive security: NATO and International Risk Society’’, Millennium: Journal
of International Studies, Vol. 30 No. 2, pp. 285-309.
Singh, J.P. (2011), ‘‘Negotiating internet governance: security implications of multilateral approaches’’,
in Clunan, A. and Trinkunas, H.A. (Eds), Ungoverned Spaces: Alternatives to State Authority in an Era of
Softened Sovereignty, Stanford University Press, Stanford, CA.
Sommer, P. and Brown, I. (2011), Reducing Systemic Cybersecurity Risk, Organisation for Economic
Co-operation and Development, Paris.
Sterner, E. (1996), ‘‘Digital Pearl Harbor: national security in the information age’’, National Security
Studies Quarterly, Summer, Georgetown School of Foreign Service, Washington, DC.
Talbot, D. (2006), ‘‘The internet is broken’’, Technology Review, available at:
www.technologyreview.com/news/405318/the-internet-is-broken (accessed 20 October 2012).
Yannakogeorgos, P. (2009), ‘‘Technogeopolitics of militarization and security in cyberspace’’,
PhD dissertation, Rutgers University, New Brunswick, NJ.
Corresponding author
Roxana Radu can be contacted at: roxana.radu@graduateinstitute.ch
VOL. 15 NO. 6 2013 j infoj PAGE 41
To purchase reprints of this article please e-mail: reprints@emeraldinsight.com
Or visit our web site for further details: www.emeraldinsight.com/reprints
Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
1
Spying and Fighting in Cyberspace: What is Which?
Gary Brown*
INTRODUCTION
Traditionally, espionage has inhabited a niche between order and chaos. States have
recognized the existence of espionage and enacted domestic legislation to prohibit it, but
international law is silent on the subject.1 On the other hand, States accept espionage as part of
the business of international relations and are generally tolerant of it. That may be changing,
however. Cyberspace, especially the Internet, has become an integral part of everyday life. The
use of cyberspace for espionage has generated difficult discussions about the nature of
cyberspace, the extent of national sovereignty, and the importance of individual privacy, among
other issues, all of which are relevant in a conversation about espionage. This article focuses on
another issue, which is the overlap of espionage and aggressive cyber operations. Confusion
about the intent behind an intrusion could lead to a misreading of aggressive intent, unnecessary
escalation of tensions, or a false sense of security in the opening act of significant cyber
aggression. This article also discusses the United States’ stance on dividing espionage into
categories depending on the purpose.
Rapid improvements in computer technology and techniques, as well as the exponential
rise in the amount of data stored online, have driven a closer look at the subject of cyber
* Gary Brown is a professor of Cyber Security at Marine Corps University.
1 It could be cited as an exception that the International Court of Justice directed Australia to refrain from interfering
with communications between Timor-Leste and legal advisers regarding current and future legal actions. See Press
Release, Int’l Court of Justice, Questions relating to the Seizure and Detention of Certain Documents and Data
(Timor-Leste v. Australia), Int’l Court of Justice (Mar. 3, 2014), http://www.icj-cij.org/docket/files/156/18076 .
That case stands as a solitary assertion, however, and applies to the special relationship between counsel and client,
making its value as precedent questionable.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
2
espionage, in particular how it differs from traditional methods of spying. The speed of access
and exfiltration in cyber espionage operations can rapidly result in libraries of information,
dwarfing the information that can be obtained through more traditional methods of espionage.2
Although some of the issues discussed here are also relevant in traditional espionage operations,
they have seemed less so in the past. They may have come to the forefront now because of the
effectiveness and pervasiveness of cyber espionage. This article will focus only on cyber
methods of espionage.
The United States defines espionage as “[t]he act of obtaining, delivering, transmitting,
communicating, or receiving information about the national defense with an intent, or reason to
believe, that the information may be used to the injury of the United States or to the advantage of
any foreign nation.”3
The distinction between cyber espionage and more aggressive cyber operations is critical
under international law. Espionage has been considered unregulated under the international legal
system – meaning cyber activities that constitute espionage are neither lawful nor unlawful under
international law.4 As a result, States freely engage in espionage and generally accept it from
other States, with results limited to punishing spies under domestic law and the expulsion of
2 Verizon’s 2015 Data Breach Investigations Report notes that in 60% of cases, cyber operators are able to
compromise a target organization within minutes. VERIZON, 2015 DATA BREACH INVESTIGATIONS REPORT 6,
http://www.verizonenterprise.com/DBIR/2015/. The 2014 Sony hack resulted in around 100 terabytes of data being
stolen, an amount of data that, if stored on CD-ROMs, would require a stack of them 3,900 feet high. See Kim
Zetter, Sony Got Hacked Hard: What We Know and Don’t Know So Far, WIRED (Dec. 3, 2014),
http://www.wired.com/2014/12/sony-hack-what-we-know/ and Joel Lee, Memory Sizes Explained – Gigabytes,
Terabytes & Petabytes in Layman’s Terms (Aug. 14, 2012), http://www.makeuseof.com/tag/memory-sizes-
gigabytes-terabytes-petabytes/.
3 U.S. DEP’T OF DEFENSE, JOINT PUBL’N 1-02: DEPARTMENT OF DEFENSE DICTIONARY OF MILITARY AND
ASSOCIATED TERMS 82 (2015). Accord 18 U.S.C. § 794 (2012).
4 Whether or not espionage is prohibited by international law does not affect whether it may be prohibited or
otherwise regulated domestically.
http://www.wired.com/2014/12/sony-hack-what-we-know/
http://crucial.com/
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
3
diplomats. This is in stark contrast to the treatment of aggressive activity, which might
constitute an illegal use of force under the U.N. Charter.5
I. NOT ALL ESPIONAGE IS EQUAL
Historically, the United States appears to have agreed that international law should not
apply to traditional espionage and that instead the punishment of spies should be left to domestic
law. With the rise of cyber espionage, however, the United States has begun to change its
position.6 “Traditional espionage encompasses a government’s efforts to acquire clandestinely
classified or otherwise protected information from a foreign government,” explains cyber
security expert, David P. Fidler. “Economic espionage involves a State’s attempts to acquire
covertly trade secrets held by foreign private enterprises.”7 The United States manifested this
distinction in the unprecedented indictment of five Chinese military officers for engaging in
cyber espionage from China, in Administration statements critical of economic espionage, and in
the U.S.-China agreement prohibiting cyber economic espionage for commercial gain, but is
silent on other categories of espionage.8
5 U.N. Charter art. 2, ¶ 4.
6 See John Carlin, Assistant Attorney Gen. for Nat’l Sec., Dep’t of Justice, Assistant Attorney General John Carlin
Delivers Remarks at the Brookings Institute’s Emerging National Security Threats Forum (May 22, 2014),
http://www.justice.gov/nsd/pr/assistant-attorney-general-john-carlin-delivers-remarks-brookings-institutes-
emerging; Greg Austin, China’s Cyberespionage: The National Security Distinction and U.S. Diplomacy, THE
DIPLOMAT (May 2015), http://thediplomat.com/wp-content/uploads/2015/05/thediplomat_2015-05-21_22-14-05
(discussing U.S. position).
7 David P. Fidler, Economic Cyber Espionage and International Law: Controversies Involving Government
Acquisition of Trade Secrets through Cyber Technologies, 17 ASIL INSIGHTS NO. 10 (Mar. 20, 2013).
8 See U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor
Organization for Commercial Advantage (U.S. Dep’t of Justice, Washington, D.C.), May 19, 2014,
http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-
and-labor. [hereinafter U.S. Charges]; National Security Advisor Susan E. Rice’s As Prepared Remarks on the U.S.-
China Relationship at George Washington University (The White House, Washington, D.C.), Sept. 21, 2015,
https://www.whitehouse.gov/the-press-office/2015/09/21/national-security-advisor-susan-e-rices-prepared-remarks-
us-china; Remarks by President Obama and President Xi of the People’s Republic of China in Joint Press
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
4
In February 2013, the cyber security company Mandiant published a compelling portfolio
of evidence tying the Chinese military to cyber economic espionage. That Mandiant chose
commercial espionage for its deep-dive investigation appears to reflect the U.S. position that
“economic espionage” should be treated differently than more traditional or “national security
espionage.”9
The United States treats as traditional espionage the theft of information more directly
relevant to national security. U.S. concern over cyber espionage was reflected by then-National
Security Agency Director, General Keith Alexander when he said “the loss of industrial
information and intellectual property through cyber espionage constitutes the ‘greatest transfer of
wealth in history.’”10 Although General Alexander’s statement has been criticized as
exaggerated, there does appear to be a large, on-going transfer of possession of intellectual
property through cyber-enabled espionage.11
If espionage is to be split into two distinct categories, it may seem counterintuitive that
economic espionage would be the more disfavored category. After all, economic espionage
merely transfers net wealth and marginally decreases the incentive to innovate.12 It might make
sense to treat economic espionage less seriously than traditional espionage, as the latter could
Conference (The White House, Washington, D.C.), Sept. 25, 2015, https://www.whitehouse.gov/the-press-
office/2015/09/25/remarks-president-obama-and-president-xi-peoples-republic-china-joint.
9 MANDIANT, APT1: EXPOSING ONE OF CHINA’S CYBER ESPIONAGE UNITS (2013),
http://intelreport.mandiant.com/Mandiant_APT1_Report .
10 Josh Rogin, NSA Chief: Cybercrime Constitutes the “Greatest Transfer of Wealth in History,” FOREIGN
POL’Y (July 9, 2012), http://foreignpolicy.com/2012/07/09/nsa-chief-cybercrime-constitutes-the-greatest-transfer-of-
wealth-in-history/.
11 The U.S. Department of Commerce estimates intellectual property theft from U.S. companies amounts to $200 to
$250 billion annually. Stolen Intellectual Property Harms American Businesses Says Acting Deputy Secretary Blank
(U.S. Dep’t of Commerce), Nov. 29, 2011, http://www.commerce.gov/blog/2011/11/29/stolen-intellectual-property-
harms-american-businessessays-acting-deputy-secretary-. The Commission on the Theft of American Intellectual
Property estimated the annual loss to be $300 billion. COMM’N ON THE THEFT OF AM. INTELLECTUAL PROP., THE IP
COMMISSION REPORT 2 (May 2013), http://www.ipcommission.org/report/ip_commission_report_052213 .
12 Christina Parajon Skinner, An International Law Response to Economic Cyber Espionage, 46 CONN. L. REV.
1165, 1183-4 (2014).
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
5
directly and negatively affect national security. The United States has decided the opposite is
true, perhaps because espionage directly benefiting national security is considered to have a
longer, more established tradition. In addition, national security espionage may have come to be
tolerated among States because it distributes knowledge that may increase the collective security
of the community of nations by reducing surprise, increasing knowledge of intentions, etc.
In any event, there has been no clear international consensus that singles out economic
espionage for denunciation.13 Currently, State responses to economic espionage include official
condemnation, responsive sanctions or the use of other international tools to dissuade economic
espionage. None of these indicate that it is treated differently than national security espionage.
Even if there were a concerted international movement to recognize the distinction
between “good” and “bad” espionage, the details, at least to some degree, would be challenging.
National security is a broad concept. It includes not just military forces, but also political
stability – and the strength of the economy. 14 Rational arguments can be made for a vast array
of technologies contributing to “national security.” For example, energy technologies can
benefit the military, food technology can increase a State’s self-sufficiency, and entertainment
technology can increase the effectiveness of propaganda. The Commentary to Additional
Protocol I notes that all information has some relevance for national security, and this is
especially relevant with regard to cyber espionage.15
13 It is too early to tell whether the U.S.-China agreement signals a change in the general international approach to
the issue.
14 It is frequently noted that China sees its economy and national security as two sides of the same coin. See Rana
Foroohar, What Chinese Cyber-Espionage Says about the Chinese (and U.S.) Economy, TIME (May 20, 2014,
http://time.com/105910/chinese-spying-economy-hacking-espionage. The United States’ 2010 National Security
Strategy mentions aspects of the economy 50 times; it is clearly important to the U.S. vision of national security, as
well. See 2010 WHITE HOUSE, NAT’L SEC. STRATEGY,
https://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy .
15 See CLAUDE PILLOT ET AL., INT’L COMM. OF THE RED CROSS, COMMENTARY ON THE ADDITIONAL PROTOCOLS OF
8 JUNE 1977 TO THE GENEVA CONVENTIONS OF 12 AUGUST 1949 566 (Yves Sandoz et al. eds., 1987).
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
6
II. ARE WE UNDER ATTACK?
Although the United States is engaged on the issue of categories of espionage, it has said
little about the challenge of distinguishing between identical cyber activities undertaken for
fundamentally different purposes. For instance, will virtual presence on a cyber system, without
more information, be treated as espionage, remaining essentially unregulated, or be treated as
preparation for cyber warfare akin to penetrating sovereign airspace with armed fighters or
massing armed forces on the border?
In the purely physical world it is usually simple to distinguish espionage from bellicose
activity. The weapons used to fight a war are generally distinguishable from those used to spy,
both in nature and in quantity. For example, if a spy is armed at all it is likely with a sidearm or
other light weapon. Spies usually work alone or in small groups. Basically, traditional spies
look like ordinary citizens, or at most like ordinary criminals. It is often the intent of spies to
look like insiders, or people who have permission to be where they are. Troops planning to
engage in combat, on the other hand, appear to be what they are – combatants.16 Combatants are
required to wear uniforms and carry their arms openly. They are normally armed with heavier
weapons and present in larger numbers. These facts, together with the location of the individuals
involved, generally make a determination of whether a particular activity is espionage relatively
straightforward in the physical world.
Some cyber attacks are easy to define. For example, gaining access to a computer
network and using the access to physically destroy attached computers or equipment is a cyber
16 Camouflage is a kind of “deception” perhaps, but the deconstruction of “cyber camouflage” I’ll leave to someone
else.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
7
attack. In more subtle cases, however, it can be difficult for the party on the receiving end of a
cyber operation to distinguish between espionage and military attack (including actions leading
up to an attack). Most cyber operations of any type require gaining unauthorized or secret access
to an information system.17 When victims discover their cyber systems have been penetrated,
determining what happened and whether information has been stolen or modified may not be
easy if the attacker is patient and careful. It is often not immediately apparent whether the
unauthorized access is intended for spying, for disruptive and destructive activities, or both. The
potential damage is not limited to a physical location, as in the case of a saboteur, which ups the
ante for cyber operations. To complicate the situation even more, the initial access may be for
reconnaissance in advance of attack, so that the compromise and theft of data are preludes to
future offensive operations. Finally, even if the initial purpose were espionage, access itself may
embolden the hacker to commit a future attack.
Both espionage and warfighting benefit from acquiring access to as many systems as
possible, to maximize either information gathering or the effect of a future attack. Given the
nature of cyberspace, that might mean thousands of systems for either type of operation.
Accordingly, both quantitatively and qualitatively, espionage and warfighting in cyberspace can
be indistinguishable until the denouement.
Although merely gaining access to a network or computer is not a wrongful use of force
or an armed attack under international law, the method used might be.18 Some cases are simple.
Invading a military base located across a national border, causing hundreds of casualties, for the
purpose of seizing a hard drive containing sensitive information is not espionage – even if that is
17 Herbert Lin discusses these different actions in Offensive Cyber Operations and the Use of Force, 4 J. NAT’L
SECURITY L. & POL’Y 63, 64 (2010).
18 See TALLINN MANUAL ON THE INTERNATIONAL LAW APPLICABLE TO CYBER WARFARE 195 (Michael N. Schmitt
ed., 2013). The concepts of use of force and armed attack are from the U.N. Charter art. 2 ¶4, 51.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
8
the sole purpose of the excursion. It is a military attack. More subtle examples can be difficult
to parse. To facilitate espionage, a State might covertly dispatch a small military unit to break
into a secure facility for the purpose of inserting a flash drive into a network to upload malware
that will enable the collection of information. The smaller the unit, and the less force used, the
greater the likelihood the action will be seen as espionage – but at some point, such endeavors
constitute a significant breach of sovereignty or a wrongful use of force in violation of
international law.
Similarly, cyber activities undertaken for the purpose of collecting intelligence might
look like cyber attacks. The U.S. National Research Council has observed that there may be
situations where “the distinction between a cyberattack and [cyber intelligence gathering] may be
very hard to draw from a technical standpoint, since both start with taking advantage of a
vulnerability.”19 Both offensive cyber activity and cyber espionage rely on acquiring
unauthorized access to a system, and that often involves damaging a system in some way. The
damage may be reducing the effectiveness of the target system’s anti-virus software, decreasing
the effectiveness of its encryption programs, installing a back door or altering its operating
system, for example. If damage is defined to include activities that decrease effectiveness or
cause a system to cease its intended function, then each of these is an illustration of damaging the
targeted system.20
The overlap of espionage and offensive operations in cyberspace appears to have been
recognized and has been addressed through policy and doctrinal definitions in the United States.
Cyber espionage is referred to as “computer network exploitation,” which is defined as “enabling
19 TECHNOLOGY, POLICY, LAW, AND ETHICS REGARDING U.S. ACQUISITION AND USE OF CYBERATTACK
CAPABILITIES 261 (William A. Owens et al. eds., 2009).
20 This concept of damage is also discussed below. See discussion infra Section III.D.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
9
operations and intelligence collection capabilities conducted through the use of computer
networks to gather data from target or adversary automated information systems or networks.”21
The critical phrase is “enabling operations,” which includes cyber activity that would otherwise
be considered a cyber attack as noted above. That is, an enabling operation could logically
include physically damaging one system to facilitate the gathering of intelligence from another
system.
“Enabling” is distinct from the collection of intelligence; it is rather those things that
permit the collection. As discussed above, these could include anything from a physical
presence in a foreign computer center to damaging systems to make them exploitable. Of
course, it also includes collateral actions necessary to collect intelligence, such as forcing a
computer reboot to install malware or sending a phishing email, which are not, standing alone,
the collection of intelligence. Some of these collateral activities are cyber attacks, but they are
defined as part of an intelligence operation. This is a definitional overlap between two
fundamentally different categories of activity.
Occupying the space between cyber espionage and cyber aggression is Operational
Preparation of the Environment (OPE). The Department of Defense defines OPE as “[t]he
conduct of activities in likely or potential areas of operations to prepare and shape the
operational environment.”22 OPE could include cyber operations to penetrate systems, introduce
malware or undertake other actions in preparation for offensive action. These activities occur in
the absence of armed conflict, although conflict may be anticipated.
21 U.S. GOV’T ACCOUNTABILITY OFFICE, GAO-11-695R, DEF. DEP’T CYBER EFFORTS: DEFINITIONS, FOCAL POINT,
AND METHODOLOGY NEEDED FOR DOD TO DEVELOP FULL-SPECTRUM CYBERSPACE BUDGET ESTIMATES 2 (2011).
22 U.S. DEP’T OF DEF., JP 1-02, DEP’T OF DEF. DICTIONARY OF MIL. AND ASSOCIATED TERMS (2015).
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
10
Pre-positioning cyber capabilities on networks or computer systems, by itself, does not
constitute cyber aggression, and is not quite espionage, because it is not collecting
intelligence. This activity is rather some unique category falling between espionage and attack.
Although capabilities are prepositioned in the kinetic world as well, the legal issues are easier to
deal with in the physical world. For example, there is little doubt that concealing a weapons
cache in another State’s territory is preparation for armed attack. On the other hand, obtaining
access to a system often fails to signal what kind of follow-on action is anticipated. This
ambiguity is one thing that makes cyber operations uniquely challenging.
Similarly, many pre-positioned capabilities provide the ability to engage in either
espionage or aggressive activity, and so acting to emplace these capabilities may be mistaken for
either of the other two. For example, malware that allows its controller to log on a system with
administrator privileges would provide the opportunity to view or copy information on a
network, as well as delete information and take other actions that could physically damage the
system, i.e., constitute an attack. Obtaining and maintaining this kind of pre-positioned
capability could be seen as the equivalent of planting explosives to be used at a future point.
This article will not address cyber OPE as a unique category. Although there are
doctrinal and policy reasons for treating it as distinct, OPE can be included in this discussion by
looking at it as an intelligence activity that has the potential to be mistaken for aggression.
III. A FRAMEWORK FOR ANALYSIS
There are more commonalities than distinctions between cyber espionage and cyber
aggression. The framework below provides a broad overview of the steps involved in cyber
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
11
operations, followed by brief vignettes drawn from actual events that apply the framework. This
analysis helps delineate the gray areas between cyber espionage and other cyber operations.
Put simply, any cyber operation requires identification, penetration, presence,
exploitation and harm. I illustrate this using a pretend state-sponsored hacker named P0wn$z.
The first requirement for any operation is determining the target. The identification of a
cyber system is the least elegant step. P0wn$z might do this by using a bot to conduct a massive
survey of cyber systems, seeking out those with typical characteristics for the system he wants to
target; for example, some SCADA systems have characteristics that make them easy to spot on
the Internet.23 P0wn$z will be looking for the type of systems he wants that have vulnerabilities,
such as unpatched software or unchanged default passwords. In this way, P0wn$z can build an
extensive database of potential targets that he can sell to the highest bidder or use for his own
purposes.24
Once P0wn$z finds the system he wants to target, initial penetration of a system can be
accomplished in a variety of ways. For Stuxnet, the cyber operation that destroyed nuclear
centrifuges in Iran, it was through a worm.25 In the case of Operation Buckshot Yankee,26 it was
most likely effected by the strategic placement of flash drives containing malware that were
eventually used on official systems. Many system penetrations use the tried and true method of
phishing emails, which are often cleverly crafted using information available from social media.
23 ICS-CERT noted the ease of identifying some of these systems in Dep’t of Homeland Sec., Incident Response
Activity, ICS-CERT MONITOR, Jan.-Apr. 2014, at 1, 2.
24 Some of the methods used to identify vulnerable systems are set out in Pedram Hayati, Presentation at the 2015
Hack In The Box Security Conference: Uncovering Secret Connections Among Attackers by Using Network Theory
and Custom Honeypots (May 28, 2015).
25 See Kim Zetter, COUNTERDOWN TO ZERO DAY: STUXNET AND THE LAUNCH OF THE WORLD’S FIRST DIGITAL
WEAPON (2014).
26 See III.B. below.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
12
Regardless of the method, the purpose is to gain and elevate access to the target system. That is,
the goal is to get on the system and ideally to gain credentials as a system administrator.
After gaining access, the next thing P0wn$z wants to do is establish a persistent presence
on the system. Operating systems and anti-virus software may be updated and passwords may
change, for example. P0wn$z wants to access the system repeatedly. To exfiltrate large
amounts of data, P0wn$z will spread the downloads over the course of several days or weeks to
avoid being noticed by network monitoring tools. Besides, new information will be added to the
system constantly, and a persistent access may yield results for many years. To establish
persistent access, P0wn$z may install additional malware or create additional accounts on the
system, for example, to provide a back door for future use.
The fourth step in the operation is exploitation of the access to gain information. As
noted above, this may involve the exfiltration of information to a server located anywhere in the
world, from where P0wn$z can move it later to where it will be analyzed. Exploitation might
also involve real time monitoring of email content or system usage data to get inside the decision
loop of the target organization. Another use of exploitation is to gather system information so
that the system itself can be degraded or damaged.
Using the information to cause harm is the ultimate goal of a cyber operation, whether
espionage or military. An espionage operation would seek to use the information gathered to do
damage to the national security of the target State. In some cases, the target’s national security is
weakened because a potential adversary has learned some strategic secret, such as where troops
plan to strike, or a technical secret such as how to defeat a radar system. In some cases, the
relative security of the victim State is reduced because a rival State has narrowed the victim’s
lead in some strategic technology. In either case, the spying State benefits and the target State
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
13
suffers a detriment. It could be argued that no harm is intended or follows when “friends” spy on
“friends,” as when the United States obtained access to the German Chancellor’s cellphone.27
The term “harm” as defined here includes changes in the relative advantage between States,
because spying friends are potential future adversaries. As Henry Kissinger famously noted,
“America has no permanent friends or enemies, only interests.”28
As noted earlier, the United States sees a subset here. According to the United States’
view, using the pilfered information for commercial gain is fundamentally different from using it
for the advancement of national security.29 China, however, has asserted that a State’s economy
is an essential part of its national security, so damaging one State’s economy or benefiting the
economy of another is the same as any other use of information obtained through espionage.30
Whether one position is preferable in law will not be discussed here. It can also be difficult to
determine whether a particular operation is undertaken for the purpose of commercial gain or
whether it incidentally results in commercial gain. This difficulty in distinguishing between the
facts underlying the two positions is addressed in the scenarios below.
In more aggressive operations the harm intended might be actual damage to the host
computer system, destruction of critical data, or damage to industrial systems connected to the
network, for example. The important thing to note is that penetration, presence and exploitation
27 Embassy Espionage: The NSA’s Secret Spy Hub in Berlin, DER SPIEGEL (Oct. 27, 2013),
http://www.spiegel.de/international/germany/cover-story-how-nsa-spied-on-merkel-cell-phone-from-berlin-
embassy-a-930205.html.
28 Kissinger was echoing a classic foreign policy position. This international reality is what made the 2010
revelation of the no spying agreement among the “Five Eyes” countries so surprising. Gordon Corera, Spying
Scandal: Will the ‘Five Eyes’ Club Open up?, BBC (Oct. 29, 2013), http://www.bbc.com/news/world-europe-
24715168.
29 Shannon Tiezzi, China’s Response to the U.S. Cyber Espionage Charges, THE DIPLOMAT (May 21, 2014),
http://thediplomat.com/2014/05/chinas-response-to-the-us-cyber-espionage-charges.
30 In the end, there may be little difference between the United States and Chinese views on this matter, though the
United States tends to phrase its position in terms of how the loss of information harms its national security rather
than how obtaining it would improve its security. See EXEC. OFFICE OF THE PRESIDENT, ADMIN. STRATEGY ON
MITIGATING THE THEFT OF U.S. TRADE SECRETS 3 (2013).
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
14
may be precisely the same, whether the operation is intended for espionage or aggression. It is
only with the harm that the two types of operation become distinguishable. This similarity
throughout most of the operation creates challenges for legal and policy frameworks, as will be
evident in the description of the operations below.
The examples below illustrate how penetration, presence, exploitation and harm apply in
some publicly reported cyber operations. The crucial first step of identification is left for another
paper, as it is focused on technology and intelligence collection rather than policy and law.
A. Undersea Cable Tapping
Cable tapping is discussed as a cyber operation because most Internet traffic passes
through submarine cables. The United States has reportedly collected information from undersea
communications cables for years. In the 1970’s the United States attached recording boxes to
Soviet undersea cables. 31 Later, the United States (and others) may have tapped into submarine
cables at repeater junctions under the sea.32 From published reports, this appears to be a blended
cyber-kinetic method that introduces a new item of physical equipment to a system to collect
cyber intelligence. An operation that collects such huge amounts of information is a gold mine of
espionage. The penetration of the undersea cables that cumulatively carry 99% of the world’s
Internet traffic was most likely accomplished through a variety of physical means.33 As
espionage equipment was physically attached to the cables, it continued to maintain the presence
31 Olga Khazan, The Creepy, Long-Standing Practice of Undersea Cable Tapping, THE ATLANTIC (Jul. 16, 2013),
http://www.theatlantic.com/international/archive/2013/07/the-creepy-long-standing-practice-of-undersea-cable-
tapping/277855.
32 Id.
33 What the Internet looks like: Undersea Cables Wiring ends of the Earth, CNN, Jan. 2, 2015,
http://www.cnn.com/2014/03/04/tech/gallery/internet-undersea-cables.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
15
on the system. The exploitation was through a variety of means, as well, the most entertaining
being the divers retrieving tapes from Soviet cables every few weeks.34
The complicating factor in this operation is the scale. If all the data moving through the
cable is collected, it includes both national security and purely commercial data – and, of course,
an enormous amount of personal information that raises constitutional issues beyond the scope of
this article. The physical devices designed to be attached to undersea cables could include the
capability to jam or otherwise interfere with electronic traffic passing through the cables. This
would be an especially desirable way to deny communications during a conflict, because the
system could be restored essentially cost-free after the conflict. Even in a case like this one that
seems like simple espionage, the technology injects an element of doubt concerning the actor’s
intentions. The mere presence on the system could be espionage or preparing for conflict.
B. Operation Buckshot Yankee (OBY)
In 2008, DoD’s classified military computer networks were compromised by malware. A flash
drive pre-loaded with targeted malware was inserted into a military laptop at a base in the Middle
East. The malicious code copied itself onto U.S. Central Command’s computer network, from
where it spread across the military system, infecting both classified and unclassified computers.
The purpose of the malware was to discover what information was available on the network,
report back to its controller and then exfiltrate desired information. DoD concluded the malware
was distributed by a foreign intelligence agency.35
34 Khazan, supra note 31.
35 William J. Lynn III, Defending a New Domain, FOREIGN AFFAIRS (Sept./Oct. 2010),
https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
16
Perhaps the most interesting feature of the malware used here was its ability to jump the
air gap between the classified and unclassified computer systems, a capability critical to the
success of the Stuxnet operation.36 When legitimate users used a flash drive to transfer
information between systems, the malware was designed to ride the flash drive for the initial
infection, and later to cause information to hitchhike on the drive from the classified to the
unclassified system. From the unclassified system, sensitive information could be transferred
over the Internet.37
OBY was a straightforward cyber espionage operation. It appeared to target an official
information system with the intent of gathering national security information to use for national
security purposes. There were no reports that the malware used was capable of damaging the
compromised system, so there was little chance of mistaking the intent of the spying State.
C. F-35 Plans
Although few details have been released, in 2007 China hacked U.S. government
contractor computer networks and obtained millions of pages of F-35 (also referred to as the
Joint Strike Fighter or JSF) technical data.38 “According to a report from Independent
Journalism Review, the U.S. Naval Institute speculates that the J-31 was ‘designed using
36 “An air-gapped computer is one that is neither connected to the internet nor connected to other systems that are
connected to the internet.” Kim Zetter, Hacker Lexicon: What Is an Air Gap?, Wired (Dec. 8, 2014),
http://www.wired.com/2014/12/hacker-lexicon-air-gap/.
37 U.S. Cyber Command: Organizing for Cyberspace Operations: Before the H.Comm. on Armed Services, 111th
Cong. 10 (2010) (statement of General Keith Alexander, Commander, U.S. Cyber Command),
http://www.gpo.gov/fdsys/pkg/CHRG-111hhrg62397/pdf/CHRG-111hhrg62397 .
38 Ellen Nakashima, Confidential Report Lists U.S. Weapons System Designs Compromised by Chinese Cyberspies,
WASH. POST (May 27, 2013), https://www.washingtonpost.com/world/national-security/confidential-report-lists-us-
weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-
0b5e9247e8ca_story.html.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
17
technology stolen from the Pentagon’s nearly $400 billion Lockheed Martin F-35 Joint Strike
Fighter program.’”39
This may at first appear to be another typical espionage case, and perhaps it is. It also
helps illuminate the complexity of applying the U.S. position on good and bad espionage. U.S.
officials noted that the theft of this data caused great damage to U.S. interests, giving away a
substantial U.S. advantage in aviation, while reducing the lead time and costs to adversaries
working to develop stealth technology themselves.40 The harm that resulted to the United States’
lead in stealth aircraft technology and the benefit to China’s program are typical of espionage
operations. The pertinent distinction here is that the information was apparently given to a
manufacturer, Shenyang Aircraft Corporation, which presumably profited from it, while
improving China’s air force and national security.41 Where is the line between strategic
technology and private sector technological advances? It may be difficult to draw. For example,
solar power could make troop deployments more efficient by reducing fuel needs. Automobile
technology may improve military vehicles. An advance in health sciences may improve
battlefield medicine. Virtually any manufacturing technology can be related to national security.
D. Equation Group
This recently reported case is an example of supply chain exploitation. It simplifies the
job of spying if the target’s hardware is manipulated in advance to permit unauthorized access.
In this case, a State’s security service is reported to have installed capabilities on firmware
39 U.S. Pilots Say New Chinese Stealth Fighter Could Become Equal of F-22, F-35, USNI NEWS, (U.S. Naval Inst.,
Annapolis, Md.), Nov. 5, 2014, http://news.usni.org/2014/11/05/u-s-pilots-say-new-chinese-stealth-fighter-become-
equal-f-22-f-35.
40 China’s Cyber-Theft Jet Fighter, WALL ST. J., (Nov. 12, 2014), http://www.wsj.com/articles/chinas-cyber-theft-
jet-fighter-1415838777?alg=y.
41 Jack Mulcaire, China’s Stealth Fighters: Ready to Soar?, THE NATIONAL INTEREST: THE BUZZ (April 16, 2014),
http://nationalinterest.org/blog/the-buzz/chinas-stealth-fighters-ready-soar-10252.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
18
(basically built-in software that controls the hardware) before it arrived at its destination. As
reported, “[t]he malicious firmware created a secret storage vault that survived military-grade
disk wiping and reformatting, making sensitive data stolen from victims available even after
reformatting the drive and reinstalling the operating system.”42
In this case, penetration and presence occur before the equipment becomes the target;
exploitation is available as soon as it is worthwhile. Although this capability may not be able to
damage the system directly, if you cannot use the targeted device as intended any more, but it
still works, has there been an attack? If a system contains any sensitive information, once the
penetration is discovered, the hardware is not usable. Functionally, it has been destroyed.
Because of the time involved in an operation of this type, there is less risk of escalation, but there
is still the question of characterization. Is it merely espionage when the process requires
functionally destroying the target system? Once again, the scale of all things cyber may play a
role. Destroying a few items in the name of espionage may mean little. What if a supply system
penetration is discovered that affected hundreds of thousands of computer chips, routers or other
components? At some point, it seems this could become something more than simply spying.43
E. SCADA Systems
Utilities and modern manufacturing processes are often managed by computerized
industrial control systems, most commonly referred to as Supervisory Control and Data
Acquisition (SCADA) systems.44 SCADA systems are vital in the modern industrial world,
42 Dan Goodin, How “Omnipotent” Hackers Tied to NSA Hid for 14 Years – and Were Found At Last, ARS
TECHNICA, (Feb. 16, 2015), http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-
for-14-years-and-were-found-at-last/.
43 See id.
44 SCADA is the term most generally recognized in legal and policy discussions about cyber operations to describe
computer systems that facilitate the remote control of industrial and utility systems, even when the systems might
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
19
controlling things as critical as drinking water plants, steel processing, auto manufacturing and
electrical power grids. SCADA systems are designed for long lifespans and reliability, with
security often considered a lower priority. They do not contain much information of interest,
except to those who might be planning a cyber attack on the system. On the other hand, the lack
of security on a networked SCADA system can make it an inviting target for hackers hoping to
gain access to connected systems. For example, the massive breach of Target’s computer system
appears to have been facilitated by computer credentials stolen from the company’s air
conditioning service provider.45 That incident resulted in the exposure of 70 million Target
customers’ personal data.46 Thieves and military planners may have good reasons for hacking
into SCADA systems – but spies remain problematic.
Because States do not store secrets on utility systems, and the systems generally contain
only information about the utilities themselves, any information that could be obtained from a
SCADA system is probably only useful as reconnaissance for a future attack.47 Does it follow
that merely establishing persistent presence on a SCADA system could be taken as aggressive?
In most cases the intelligence value of any information is so low that analysts might assume the
operation is not an exercise in simple espionage, but rather a prelude to aggression. U.S.
SCADA systems are frequently targets of cyber operations. 48 The potential harm is
considerable. Espionage and operations with more aggressive intent seem particularly difficult
more accurately be described as Industrial Control Systems or IP Addressable Appliances. The last term best
describes the system at Target.
45 Mathew J. Schwartz, Target Breach: HVAC Contractor Systems Investigated, DARK READING (Feb. 6, 2014),
http://www.darkreading.com/attacks-and-breaches/target-breach-hvac-contractor-systems-investigated/d/d-
id/1113728.
46 Id.
47 John Hultquist, Sandworm Team – Targeting SCADA Systems, ISIGHT PARTNERS: BLOG (Oct. 21, 2014),
http://www.isightpartners.com/2014/10/sandworm-team-targeting-scada-systems/.
48 Joel Langill et al., Cyberespionage Campaign Hits Energy Companies (July 8, 2014) (on file with Security
Matters), http://www.secmatters.com/sites/www.secmatters.com/files/documents/whitepaper_havex_US .
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
20
to distinguish in these cases. In 2014, a hacker caused “massive damage” to a steel plant in
Germany.49 Just before the final step, it may have been impossible for an administrator of the
steel plant’s systems, having discovered a hacker inside the system, to know whether the intruder
was in the final stages of preparing for the destructive attack or merely spying, which creates a
risk of miscalculation.
A final case that may help bring all the threads together is the 2014 Sony hack.50 In that
incident, hackers gained access to Sony’s computer network. The hackers released a huge
amount of business data, emails, personal data of employees, salary information, full copies of
unreleased movies, and more. At some point the operation took a hostile turn and destroyed data
on the servers.
The facts of the incident work well for this discussion if we speculate about a similar
attack on FBI servers. In such a case, the FBI might detect the intruders at an early phase of the
operation: while they are penetrating the federal computer system, establishing a persistent
presence or exfiltrating sensitive anti-terrorism data, for example. At any of these times, it
would appear to be nothing more than an espionage case. Then, perhaps without warning, the
operation might turn aggressive. The same malware capabilities used to exfiltrate data might be
used to delete (i.e., destroy) data and to render much more data inaccessible by corrupting the
master boot records of hard drives.51 Would such a virtual destruction of a critical government
information system rise to a level justifying a kinetic response? The United States acknowledged
49 Kim Zetter, A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever, WIRED (Jan. 8,
2015), http://www.wired.com/2015/01/german-steel-mill-hack-destruction/.
50 Information on the Sony incident is drawn from Zetter, supra note 2, and Michael Mimoso, Details Emerge on
Sony Wiper Malware Destover, Threat Post (Dec. 4, 2014), https://threatpost.com/details-emerge-on-sony-wiper-
malware-destover/109727/.
51 Deleting the master boot record of a hard drive makes it practically impossible to access the data on the drive,
even though it is still present.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
21
the possibility that a cyber operation could justify actions in self-defense in its 2011
International Strategy for Cyberspace: “When warranted, the United States will respond to
hostile acts in cyberspace as we would to any other threat to our country.”52 If an apparent
espionage operation can so quickly turn destructive, at what point is a State justified in
aggressively acting in anticipation of a cyber attack?53
CONCLUSION
As discussed here, the tactics and techniques used in espionage and military operations in
cyberspace are often identical. Although when reviewing the results of cyber activity, it may be
easy to determine what the purpose of the action was, mid-operation – when responses are being
considered – there is great potential for international misunderstanding and miscalculation.
There is not an easy fix; it is simply a situation with which the international community must
contend. Espionage will continue to be required as part of a responsible strategy prior to military
action, and there is no indication the world’s “second oldest profession” will end even in the
absence of aggressive intent, because it supports economic and diplomatic strategies, as well.
The observation that for a significant duration of a continuous cyber event it is impossible
to distinguish between espionage, preparing the environment for a cyber attack, and the
beginning of a cyber attack is unlikely to change the behavior of States. Despite the potential
pitfalls set out here, States will continue to pursue courses of action – in this case the cyber
52 See EXEC. OFFICE OF THE PRESIDENT, INT’L STRATEGY FOR CYBERSPACE: PROSPERITY, SECURITY, AND OPENNESS
IN A NETWORKED WORLD 14 (2011),
https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace .
53 Of course, the difficulty of attributing cyber actions to a particular State could mean that the target of aggressive
self-defense would be uncertain, but that just makes the situation more dangerous, as even uncertain national leaders
might feel compelled to “do something” to demonstrate to a restive population they are still in control.
Cite as Gary Brown, 8 J. NAT’L SECURITY L. & POL’Y ___ (forthcoming 2016)
22
options – they think best serve their own interests. Cyber espionage in particular is likely to
continue to increase, as it results in the collection of huge amounts of strategic data for
intelligence agencies. Rather than focusing on the unattainable, policy efforts would be better
spent elsewhere. States should not attempt to create a different standard for cyberspace
espionage, and for different types of espionage in cyberspace. Often, military operations in
cyberspace and cyber espionage are distinguishable only by intent, which is difficult or
impossible for the victim to ascertain. States should rather focus on the actual actions, as it is the
behavior and the effects that determine international legality, not the intent of the actor. States
might be reluctant to agree to stop engaging in strategically lucrative activity in return for
increased international cooperation, but the expedient path of trying to divide cyber activities
into categories of good and bad does not seem to have resulted in increased international
understanding about state-sponsored cyber activities.
In a loosely governed environment like cyberspace, a shared understanding of the
boundaries on acceptable behavior may be the best way to avoid unnecessary tension, or even
escalation to hostilities. Discussions about what is okay and what is not would be easier if they
focused purely on the activities themselves, rather than trying to pigeonhole cyber behaviors
according to intent.
Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.
––––––––––––––––––— Summary of a Roundtable Discussion (October 2012)
Cyberpower and National Security
NCAFP
ABSTRACT Expert speakers discussed cyberchallenges that have emerged,
including the strategic threats posed by cyberespionage and threats to
critical infrastructure, as well as the types of domestic and international
diplomacy and other forms of responses needed to respond to these chal-
lenges. They discussed issues pertaining to Internet governance, the increas-
ing interest of states in governing the Internet, and the risks their involvement
poses to the current multi-stakeholder governance model. Discussions also
focused on whether cyberspace is a war zone, assessing this question from
the perspective of three levels of warfare: strategic, operational, and tactical.
Finally, the roundtable closed with a discussion on the role of cybersecurity
in bilateral relations between the United States and China.
KEYWORDS China; critical infrastructure; cybersecurity; cyberspace; diplo-
macy; espionage; Internet governance; United States; warfare
CYBER-RELATED CHALLENGES: IMPLICATIONS FOR
AMERICAN FOREIGN POLICY, NATIONAL SECURITY,
AND SOVEREIGNTY
The first speaker focused on the nature of the cyberproblems that have
emerged, giving particular attention to the strategic threats posed by cyber-
espionage and threats to critical infrastructure and also highlighting the
types of domestic and international responses needed to deal with these
problems.
The Attack Problem
The first speaker outlined the main problems that have emerged in
relation to cyberspace, including problems related to privacy, free speech,
crime, espionage, and critical infrastructure. He noted that, with regards
to national security, cyberspace poses two main problems: the espionage
problem and the attack problem. There are also several types of attacks:
remote attacks (e.g., the Chinese attacks on Google and scores of other
U.S. companies in 2010 and the more recent Knight Dragon attacks on oil
and gas companies); near-end attacks (e.g., the Stuxnet attack on Iranian
Policy observations are the ‘‘For the
Record’’ in this issue.
American Foreign Policy Interests, 35:
45
–58, 2013
Copyright # 2013 NCAFP
ISSN: 1080-3920 print=1533-2128 online
DOI: 10.1080/10803920.2013.757960
45
nuclear centrifuges or attacks on U.S. classified sys-
tems, some of which date back to 1998); insider
attacks (e.g., Wikileaks or the recent insider attacks
on the Saudi Aramco oil company that wiped the
data from 30,000 computers); supply-chain attacks
(e.g., the infecting of software at the production
stage so that a computer is automatically conscripted
as a ‘‘Botnet’’ without the owner’s knowledge).
Secretary of Defense Leon Panetta’s recent speech
focused sharply on the attack problem, particularly
the risk that certain attacks could bring down U.S.
critical infrastructure with huge consequences for
U.S. national security.1 In reality, however, evidence
that this type of attack has occurred or that it will
occur is limited. A major attack would be evident.
Indeed, if the United States were subjected to a major
attack, the attack would manifest itself in a range of
ways and different vulnerabilities would be exploited.
A major cyberattack would most likely be associated
with a kinetic attack, and it would occur under a set
of geopolitical circumstances that would signal that
something major was under way. In this regard, the
speaker stressed the importance of understanding
the scenario, understanding signals, and understand-
ing the circumstances under which a major attack
might occur as an effective means to implement
appropriate preventive measures.
Attribution has been an important problem. At the
same time, however, media and state officials are
increasingly attributing attacks to different countries
(e.g., the recent attacks on Bank of America were
attributed to Iran, while a recent intelligence report
placed Russia and China at the center of economic
espionage attacks). Greater certainty about the per-
petrators of attacks can help in terms of de-escalation
and deterrence.
Non-state actors such as terrorists pose a different
set of challenges. For the most part, important terror-
ist groups do not currently have the capability to
conduct a major attack against the United States.
They can, however, hire criminal networks that do
have the capacity to develop sophisticated capabili-
ties. Recent testimony by the Department of Justice
laid bare how terrorists have, in effect, attempted
to seek the support of criminal groups to develop
sophisticated cyber-capabilities.2
The speaker stressed that if this is the landscape—
different types of attack capabilities, with countries
and people who might want to use them against the
United States, a country that, because of its depen-
dence on cyber tools, platforms, and capabilities,
is extremely vulnerable to attack—a set of interde-
pendent responses needs to be developed. These
responses would require the participation of a broad
range of actors from the public and private sectors
and from the technical, political, diplomatic, economic,
and security spheres; they would require strategic
decisions on how to take advantage of capacities and
capabilities that are already available; such responses
would also require a significant amount of work at
the international level with both allies and adversaries.
Building Resilience
On the technical side, the speaker stressed the
importance of developing resilient systems and open-
ing up the space for cooperating with like-minded
nations. In building resilience, separating the differ-
ent types of problems is important. While protection
of intellectual property is important, once it is done, it
is done. In comparison, protecting operating systems
or critical infrastructure is much more complex and
requires building resilience into the systems. If an
electricity grid is brought down through an attack,
significant effort needs to be made to keep it down
because electricity grids have built-in protection to
handle blackouts. Significant capabilities, including
insider intelligence, would be needed to bring down
and keep down an electricity grid. Hence, in entering
into conflict with an adversary, what is critical is to
keep all or most systems operating at a minimal level.
For this, system resilience is required.
The speaker noted that a range of actions can be
taken to build resilience into systems. For example,
the Australians launched a campaign entitled ‘‘Top 4
Mitigation Strategies to Protect Your ICT System,’’
which includes patching systems as soon as they have
been attacked.3 This, however, presents its own set of
problems, not least because those who run the elec-
trical grid need to maintain a lot of reliability; before
they patch the system, they need to make sure they
do not undermine the reliability of the rest of the
system. Rather than the 48 hours suggested by the
Australians, reliably patching an electrical grid while
maintaining the integrity of the system might take
up to one month. Solving this timing issue remains
a significant challenge. Other technical solutions
include integrity checks—making sure your system
46 American Foreign Policy Interests
is good, that it meets standards, and that it is checked
periodically.
The main problem with technical efforts to build
resilience is that they have not been brought together
under an architecture that really makes them work.
There is no one set of standards providing guidance
to companies on how they ought to pull together
existing capabilities or that highlights the capabilities
that could be made available through research and
development (R&D). In this regard, an important
question is who should be setting these standards,
government, industry, or a combination of both.
Public–Private Partnerships for
Standard Setting
The speaker referenced the legislative package
that is pending approval in Congress, suggesting that
rather than covering the 18 critical infrastructures as
the current package does, a more strategic approach
would be to prioritize efforts. The focus could per-
haps be on developing standards for core critical
infrastructure such as the electricity grid, telecommu-
nications, financial, and transportation systems, and
then gradually develop standards for the remaining
infrastructure. Standard development should involve
the private sector, not just because they ‘‘own’’ the
systems, but also because they have the expertise
and the access to much operational information that
the government may not. Companies like Verizon
and other Internet service providers (ISPs) can
observe a lot of irregular activity on their systems,
but they do not have the authority to do much about
it. It may well be the case that they should not oper-
ate without government involvement or approval—
for example, should private companies be permitted
to enter into somebody’s server to clean out viruses
or attack vectors? Or, how far outside their own bor-
ders can the private sector, the military, or the police
work? Agreement on ‘‘rules of engagement’’ is
urgently needed. In short, public–private partner-
ships for the development and adoption of standards
that continue to foster innovation, and are flexible
enough to be adapted when necessary, are crucial.
Working with Like-Minded
Nations
The speaker stressed the importance of working at
the international level, suggesting the establishment
of a group of like-minded countries that draw in
strategic decision makers from the public and private
sectors to develop standards and build operational
capacities. He noted that such a body could be
developed along the lines of the voluntary
Financial
Stability Board—which emerged from the Basel
agreements.4 A ‘‘Cyber Stability Board’’ could focus
on standard-setting and could initially include coun-
tries that have a tradition of working together such as
the United States, the United Kingdom, Canada,
Australia, France, Germany, the Republic of Korea,
and Japan. In the absence of such a body, the current
ad hoc approach will continue, and the involvement
of institutions that are not well-suited to deal with the
current set of problems will increase.
Working with Non-Like-Minded
Nations
The speaker also emphasized the importance of
working with non-like-minded countries, China and
Russia, for example, on issues of strategic import such
as economic and industrial espionage. Since these are
sensitive issues, seeking common ground on issues of
mutual concern such as terrorism or cybercrime is
important. At the same time and despite the launch-
ing of formal diplomatic processes and Track 1.5
and Track 2 processes with Russia and China, agree-
ment even on these less-sensitive issues is a long way
off, with much work remaining to the done.
The Importance of Sovereignty
The speaker noted that it is also important to elev-
ate current thinking on questions of sovereignty and
cybersecurity to the international level. For example,
if enough evidence exists that a country, individual,
or group of individuals is engaged in cyberespio-
nage, the United States could use approaches that
are common in the public health arena. For example,
during an outbreak of severe acute respiratory syn-
drome (SARS), people are placed in quarantine and
borders become important. The speaker questioned
whether this is something that could be applied to
cybersecurity—that is, placing those who propagate
viruses in quarantine. He also cautioned that such a
move would require congressional approval and
would most likely spark controversy and be contested
since freedom of expression would be curtailed as
Volume 35, Number 1, 2013 47
would the free flow of information. The speaker also
suggested that thought be given to the possibility of
promoting a cyber-sanctions regime, similar to the
counterterrorism and non-proliferation sanction
regimes. Such cyber-sanctions would give the presi-
dent the authority to issue sanctions against persons,
companies, or governments that use cyber tools as a
means of ‘‘attacking’’ the United States.
The Importance of Strategy
On a final note, the speaker observed that while
many of these attacks happen via cyberspace, it
is improbable that a major attack on the United
States would elicit a cyber-response. Rather, a more
strategic approach would need to be employed.
Such an approach would place the protection of
the U.S. economy (not just individual companies
and agencies) at its center. It would include diplo-
matic, economic, kinetic, and cyber efforts. It would
focus on strengthening domestic capabilities and
capacities, working with other countries to develop
standards, and working internationally to find com-
mon interests with adversaries.
WHY INTERNET GOVERNANCE
MATTERS
The second speaker presented on the history of
Internet governance, shifting trends, the increasing
interests of states in governing the Internet, and the
risks that this poses to the current model of Internet
governance.
�����
The second speaker began his presentation by clari-
fying the distinction between the Internet and cyber-
space, noting that the general tendency is to conflate
the two terms. While the Internet is part of cyberspace,
there is a lot more to cyberspace than just the Internet.
For example, radar systems, air traffic control systems,
and inter-banking networks are not part of the Inter-
net, but they are part of cyberspace. The Internet is
what individuals interface with most and has been
the main growth area over the past two decades.
The Current Model of Internet
Governance
The speaker’s presentation focused mainly on Inter-
net governance rather than the broader concept and
reality of cyberspace. He touched on the origins of
the Internet and how it developed from experiments,
originally within the Defense Advanced Research
Projects Agency (DARPA; ARPANET). He stressed
that what is often forgotten is that the technology
underlying the Internet, the actual protocols and
the software—what makes the Internet work—have
their roots in the 1970s and have remained largely
unchanged. Indeed, the code that we use to inter-
operate (e.g., the protocols that allow Verizon to talk
to AT&T, British Telecom, China Telecom, and so
on, and the protocols that allow us to use Google,
YouTube, and so on) are more than 35 years old.
While some new protocols have been developed,
the basics of the Internet remain the same. The Internet
arose from academic research and experimentation.
The governing model that underpinned the original
Internet reflected its experimental nature.
The same experimental, academic-based govern-
ing model is in force today. However, the question
of whether we want the Internet to remain an experi-
ment forever is gaining significant traction. The alter-
native would be to ‘‘lock it down’’ through standards
and regulation, but this might inhibit flexibility, inno-
vation, and learning from experimentation. At the
same time, the current loose technical standards pose
risks, as they allow for malicious behavior and permit
criminals and spies to take advantage of the lack of
security. Hence, significant tension has emerged
between openness and innovation and security.
The speaker highlighted the fact that older parts of
cyberspace have already been locked down via
standards and regulation. For example, the world of
telephony has been ‘‘locked down’’ since the 1950s
when agreement was finally reached on voltage
levels, frequencies, rates, tariffs, and tolls between
countries that exchange phone calls. The same pro-
cess occurred earlier with the telegraph and radio.
Today’s Internet is not really like the telegraph, the
radio, or telephones. Nonetheless, there are increas-
ing calls to apply these old regulatory models to the
Internet, subjecting the Net to trade agreements and
rules—old thinking of taxation and boundaries. This
frustrates users as the Internet tends to be governed
by the people who use it—people choose what they
want to do on the Internet and do not look to govern-
ments to control or limit their
capabilities.
The speaker noted that the question of personal
choice and personal freedoms is making countries
48 American Foreign Policy Interests
with authoritarian tendencies nervous, especially
since the Internet can empower citizens. Other nations
embrace the Internet and related freedoms. But even
in the United States, indecision is increasing about
what citizens are free to do, and whether to attempt
to control and govern the Internet. For example, the
U.S. Federal Communications Commission (FCC) is
seeking to find relevance with respect to oversight
of domestic Internet technical operations. Part of what
is frustrating the FCC is the 1996 Telecommunications
Act, which stated that the Internet should remain
unfettered, that it should not be placed under govern-
ment control.5 There are exceptions made, of course,
for law enforcement and protection of children, but, in
general, the Act states that the Internet should be
allowed to function unfettered in the United States.
Notwithstanding, much has changed since 1996,
especially in the aftermath of 9=11. Several bills aimed
at regulating the Internet have been tabled in Con-
gress. These include the Stop Online Piracy Act
(SOPA), the Protect Intellectual Property Act (PIPA),
and the Cyber Intelligence Sharing and Protection
Act (CISPA). Many have not advanced because of
resistance from industry or from civil society. (A final
push by the Senate to pass their comprehensive cyber-
security bill during the November 2012 lame duck
session was not successful either.)
The Internationalization of Internet
Governance
At the international level, a specialized agency of
the UN—the International Telecommunications
Union (ITU)—is the global governing body for the
electrical side of telecommunications and sets the
standards that allow people to use technology to talk
to one another, make phone calls, and so on. The
Internet has transcended all those rules, allowing
people to make calls using the Voice Over Internet
Protocol—VOIP (like Skype or Vonage) from com-
puter to computer free of telephony charges. Many
in industry and governments are bothered by this
ability to communicate using systems that bypass
traditional voice phone calls rules and tariffs.
Meanwhile, developing countries are voicing
increasing concerns about the digital divide that has
emerged and are requesting support in terms of fiber
optic cables, wireless, and so on, and the sharing of
technology. They are also calling for a stronger role
for government in determining standards for how the
Internet is run. While much room exists for discussion
on these issues, the speaker also stressed that many
countries would like their own physical social consti-
tutional norms to apply to cyberspace within their bor-
ders. In essence, they would like to place jurisdictional
boundaries on the Internet, so that they can also have a
say in controlling content. This is problematic, as the
Internet does not have boundaries unless they are
artificially imposed (e.g., China’s Great ‘‘Firewall’’).
The speaker mentioned that, in December 2012, an
important conference will be held in Dubai. The
International Telecommunications Union (ITU) will
host the World Conference on Information Telecom-
munications (WCIT), during which the International
Telecommunications Regulations (ITRs) will be
reviewed.6 The review of the ITRs will include deter-
mining whether standards and regulations that
govern telegraphy, radio, and telephony can be
extended to the Internet and subject to the ITU’s over-
sight. The speaker stressed that this is a crucial ques-
tion and could create significant tension between
states that have very different views about how to
make the technical side of the Internet work. He also
questioned whether such government involvement is
really necessary, since most technical problems are
generally resolved through informal collaboration
between technical experts, not between politicians
and diplomats or the military.
The Future of Internet Governance
Part of the governance challenge is that govern-
ments do not know how to react in situations that
emerge in cyberspace. For example, if an important
technical hitch is encountered or a technician misbe-
haves, affecting people across the globe, what
should be the response? Should it be more govern-
ance, more diplomacy? Or should we seek new solu-
tions for these challenges that have emerged in the
synthetic world we have created called cyberspace?
The speaker suggested that, sooner or later, we will
reach the point when everyone can communicate
and can conduct all their business via the Internet.
When this happens, we may find ourselves question-
ing the role of traditional governance and the rel-
evance of our governments. The first nation that
figures out the answer to that question (i.e., the role
nation-states can play in such a world) will dominate
Volume 35, Number 1, 2013 49
for the rest of the century. For the United States (and
its allies), determining a winning response is para-
mount. The alternative would be to let another
nation or group of nations get the upper hand. The
United States would then spend the rest of the cen-
tury playing catch-up. This, the speaker noted, is
the current situation of Internet governance.
IS CYBERSPACE A WAR ZONE?
The third speaker focused his presentation on the
three levels of warfare—tactical, operational, and
strategic—describing current threats and responses
within each of these levels and tabling some initial
recommendations for how to move current discus-
sions forward.
�����
The third speaker commenced his presentation
with a reference to how interest in cyberspace has
changed. Indeed, just five years ago, very few people
were talking about cyber-related issues; today,
some 29 derivatives of cyber exist—a whole lexicon
of terminology has since been created around cyber
and the whole world is talking about it. The speaker
noted that cyberspace is referred to as a ‘‘fifth
domain,’’ joining the strategic ranks of land, air,
sea, and space. The international community has
had a lot of time to develop standards, laws, and
rules of engagement (RoE) for behavior and opera-
tions in the other domains. We have yet to do the
same for cyberspace, which, in contrast to the other
domains, is man-made and, accordingly, poses
additional challenges. He presented cyberwarfare
within the context of the three levels of warfare:
Tactical Level—War with a
Small ‘‘w’’
The speaker noted that this level of warfare is experi-
enced daily. Every day is a tactical-level battle for com-
panies, governments, and private citizens who are hit
by attacks. Technical experts spend their days fighting
adversaries on the network and protecting systems
from advanced persistent threats (APTs)—attacks and
fraudulent activity—and from attempts to extract intel-
ligence and obtain intellectual property. This, the
speaker noted, is a very low level of ‘‘warfare.’’ It is
a ‘‘cold cyberwar’’ of attrition. At the same time, a lot
of damage is being done and can have serious effects.
Operational Level—Cyber ‘‘Warm
War’’ with a Small ‘‘w’’
This level of cyberwarfare includes the occasional
significant attacks that make the front pages of the
New York Times and the Wall Street Journal—for
example, the recent denial of service (DoS) attacks that
were carried out against Bank of America and other
banks. For the military, it was the attacks that led to
operation ‘‘Solar Sunrise’’ in 1998 that made the
Department of Defense wake up to its vulnerabilities.7
The attacks on Estonia in 2007 were also significant:
the entire nation, which depends extensively on
cyberconnectivity, was pretty much shut down for a
short period. Since then, illicit hackers have continued
to hone their skills and abilities. Today, these skills
are employed in sophisticated attacks or the use of
sabotage tools such as Stuxnet, which damaged Iran’s
nuclear centrifuges at Natantz; or extraction tools such
as DUKU and FLAME, which are said to have mapped
U.S. gas pipelines and potential choke points. The
speaker referred to this as the ‘‘warm’’ level of cyber-
warfare. It has provoked political tension on inter-
national and domestic fronts. Internationally, tension
is emerging between nations as increasing evidence
is emerging that some countries are developing
and using these sabotage and extraction attack tools.
Domestically, this ‘‘warm war’’ is giving rise to a new
form of political contestation: An enormous amount
of cyber-related legislation is being drafted, debated,
and defeated. In 2011, some 85 pieces of legislation
were tabled; this year, some 40 pieces have
been tabled. Tension among and between members
of Congress and between Congress, the private sector,
and civil society over what should or should not be
included in these pieces of legislation is rising.
At this level, and also at the tactical level, cyberse-
curity is gaining importance within the legal sector.
Lawyers’ professional organizations need to under-
stand the issues in order to be able to advise their
clients, while a need to know how to argue these
issues in litigation also exists. Common terminology
is urgently required.
Strategic Level—Cyber ‘‘Hot War’’
with a Capital ‘‘W’’
The speaker noted that this level of cyberwarfare
involves military confrontation. At this level, much
50 American Foreign Policy Interests
work is needed to ensure that such confrontation is
avoided. What distinguishes this type of cyberwar-
fare from the other two? One, a cyber ‘‘hot war’’
would involve devastating, long-term effects. An
attack at this level would lead to the 5Ds: death,
destruction, damage, disruption, and devastating
economic loss. Two, this kind of cyberwarfare would
require congressional approval (in the other four
domains—land, air, sea, and space—Congress is [at
least in theory] supposed to declare when the United
States is officially at war). A major challenge with
cyberattacks would be determining the identity of
the enemy. Declaring war against a virtual activity
is very difficult. The speaker noted that preventing
cyberwar=deterrence has three requirements:
. Resilience: A resilient network can help deter
someone from attacking you. Attackers know that
if they persist and cannot gain access or disrupt
a system, they will have to give up or eventually
get caught by law enforcement.
. Recognition: Knowing who is attacking you, who
the enemy is. The capabilities to enable such rec-
ognition need to be developed and implemented.
. Retaliation (attack capability): The United States
won the cold war through a nuclear stand-off. If
we can develop a capability and send signals that
we have it and are willing to use it (as is increas-
ingly being reported today), we could end up in a
situation of mutually assured disruption (a MAD
theory of cyberspace).
On a final note, the speaker mentioned the
ongoing work of the EastWest Institute, including
its annual Worldwide Cybersecurity Summit (Dallas
in 2010, London in 2011, New Delhi in October
2012); its Track 2 work with both Russia and China,
and the development of a common lexicon on cyber
with Russia.
THE ROLE OF CYBERSECURITY IN
U.S.–CHINA RELATIONS:
COMPETING INTERESTS AND
STRATEGIES
The fourth speaker discussed Chinese interests and
behavior in cyberspace from an economic, military,
and political perspective and how these interests differ
from those of the United States. The presentation also
focused on U.S. efforts to engage China and prospects
for change in Chinese behavior.
Common and Conflicting Interests
The fourth speaker opened by referencing the U.S.
International Strategy for Cyberspace, which states
that the United States has a stake in ‘‘an open, secure
and global’’ Internet and cyberspace. He then noted
that China shares some common interests with the
United States in this area.
An Open Internet
The speaker observed that China’s Great Firewall
immediately suggests that the United States and China
do not share common interests about openness on
the Internet. China’s principal objective is to ensure
that information from the outside does not get in
and it has pretty much succeeded in keeping infor-
mation out: Google, Twitter, and Facebook are all
blocked. The Chinese Internet is, however, becoming
more open as, even in closed systems, controlling all
activity and content is impossible. This has resulted in
a constant ‘‘cat and mouse game’’ between the
government, whose aim is to control information,
and Chinese bloggers who wish to spread it.
A Secure Internet
The speaker noted that the United States and
China do have a shared interest in having a secure
Internet. Chinese cybercrime, Chinese crime directed
at Chinese companies, Chinese criminal hackers—all
are increasing. The Chinese are particularly worried
about terrorist attacks on their infrastructure. The
challenge is that the United States and its allies con-
stantly use the term ‘‘cybersecurity,’’ referring to the
security of the Internet’s architecture and ensuring
point-to-point free flow of information. The Chinese
and the Russians, however, use the term ‘‘infor-
mation security,’’ which includes the security impli-
cations of the content that flows on the Internet.
For the Chinese, the threat is not only the hacker in
the basement, but the threat of information security
to regime stability. These different goals, different
nomenclature, and different definitions have ren-
dered discussions with the United States difficult
Volume 35, Number 1, 2013 51
because the United States is unlikely to trade Internet
freedom for Internet security.
Global Standards and Interoperability
The speaker stressed that developing global stan-
dards is important to business expansion and inno-
vation. On this point, he noted that the Chinese are
of two minds. Central policymakers are worried
about the longer-term impact of technological depen-
dence on the West. Their strategy for achieving inde-
pendence is through a policy focused on indigenous
innovation—the creation of Chinese competitors to
U.S. companies. This is already happening in the
technical cybersecurity realm through MPLS,8 encryp-
tion, and so on. Chinese firms are of two minds on
this policy, however.
Competing Visions of Internet
Governance
The United States has a vision of Internet gover-
nance that is multi-stakeholder, bottom-up, academic,
transparent, and involves non-state actors. This
approach is anathema to the Chinese as their goal is
to reassert state sovereignty over Internet governance.
They are trying to achieve this goal through the ITU
and other platforms. In short, the United States and
China share few interests and certainly disagree on
how to shape Internet governance. The speaker
raised the question of why the Chinese are trying to
shape the Internet—noting that they are doing so
because they can and also because they are seeking
economic, military, and political advantage.
The Economic Perspective
From an economic perspective, clearly the Chi-
nese do not want to be dependent on the West. This
is a very legitimate side of China’s technology policy
and to that end, the country’s leaders plan to increase
R&D spending to 2.1 percent of Gross Domestic
Product (GDP) this year and to 2.5 percent by
2020. Indeed, China plans to be a significant power
in innovation by 2049. China has a human resource
advantage. This year, some six million college stu-
dents will graduate, 60–70 percent of them in science
and engineering. The illegitimate part of China’s
innovation policy, however, remains the theft of
intellectual property (IP). As noted earlier, IP theft
happens in the traditional way as well as through
cyberespionage. The latter has been said to represent
the greatest transfer of wealth in history.9 China
engages in such theft because it can and because
limited risk is involved.
The Military Perspective
Militarily, China sees itself as the weaker power—
especially in a force-on-force possible engagement
with the United States. Over the past twenty years, it
has been considering issues such as how to attack
U.S. weaknesses, how to develop an asymmetrical
strategy. The Chinese have observed the use of
asymmetrical strategies to counter ballistic missiles
for example by targeting aircraft carriers in the sea,
in satellite programs—and now in cyberspace. For
example, all the Chinese open source writings from
military analysts suggest that one way to impede the
United States is by making sure that supply ships do
not rendezvous on schedule. There is a strategic
element in this behavior: if the Chinese are in our
networks and leave little hints behind that they were
there, they are sending a reminder or signal to the
United States that if a regional conflict should arise
and if it escalates, we Chinese can do something
about it.
The Political Perspective
China is using cyberspace to respond to many of
its domestic political concerns. For example, the
issue of Tibet remains an important political concern.
Tibetan activists are often drowned by spam sent by
Chinese hackers, e-mails are hacked, and think tanks
focusing on Tibet are attacked. China uses hackers as
proxies to either silence or shape debate within and
outside its own cyberspace.
Chinese Views of U.S. Behavior
According to the speaker, China considers much of
the U.S. position on cyberspace and the Internet to be
hypocritical. While the United States has said that
it wants a peaceful cyberspace, China accuses the
United States of militarizing the Net through the estab-
lishment of the U.S. Cyber Command and the deve-
lopment of capabilities such as Stuxnet. China also
assumes that U.S. intelligence agencies are in their
networks and that the United States is spying on
52 American Foreign Policy Interests
them all the time. Such suspicions may have a strong
foundation since at one point 95 percent of Chinese
government offices were using the easily penetrable
(and pirated by them) Microsoft Word software. The
United States will only discuss economic espionage,
refusing to talk about political or military espionage.
China views the ongoing Huawei debate as parti-
cularly hypocritical, first because they believe it was
begun by Cisco Systems, which has its own vested
interests, and, second, because almost all the threats
discussed about Huawei—the insecurity of its supply
chain, the unreliability of its middle managers, the
insider threat—can characterize any telecommunica-
tions company in the world.
As noted, China is not comfortable with the current
system of Internet governance and views the refusal
of the United States to negotiate a new deal as the
United States wanting to preserve a status quo that
only benefits the United States. However, most other
countries, including India and Brazil, which in many
ways are becoming more important than China, are
insisting on change. In essence, the United States
has not yet put anything positive on the table.
U.S. Engagement with China
Deterrence
The establishment of the U.S. Cyber Command
and Secretary of Defense Panetta’s speech warning
of an imminent ‘‘cyber Pearl Harbor’’ were part of
it.10 Secretary Panetta basically said that the United
States is getting better at resolving attribution and
will respond. Many interpret the secretary’s speech
as an attempt to deter Iran, but the speech was also
directed at China.
Naming and Shaming11
After the attack on Google two years ago, U.S.
government officials would refer to nation-states
being behind the attack but would not name a spe-
cific country. They would then call experts to con-
firm their suspicions. Today, no calls to experts are
made—U.S. officials have readily identified China
as the perpetrator of cyberespionage attacks.12
Official Dialogue Channels
Cybersecurity now forms part of the strategic
economic dialogue with China. Both secretaries
Clinton and Panetta raised cyber-issues with their
counterparts during their last meeting.
Track 2 Processes
Different Track 2 processes with China have
already been launched, including those facilitated
by the Center for Strategic and International Studies
(CSIS) and the EastWest Institute (EWI). The goal is
to find some areas of commonality upon which
cooperation can be established. Other Track 2 efforts
include joint reports or joint initiatives such as a
recent EWI report—‘‘Fighting Spam to Build
Trust’’13—which focused sharply on the question of
‘‘dual illegality.’’ The problem with dual illegality col-
laboration is that, in some cases, what China ident-
ifies as criminal behavior, the United States views
as politically motivated behavior. In addition, coordi-
nation has not been very good with the FBI and the
Department of Homeland Security, while communi-
cation between U.S. and China Computer Emergency
Readiness Teams (CERTs) is nonexistent.
Prospects for Change in China’s
Behavior
The speaker noted that for now and probably in
the immediate future, China views the United States
as more vulnerable than itself, partly because of the
nature of the U.S. economy, its military, and partly
because of China’s Internet infrastructure. China’s
Internet has fewer access points; accordingly, con-
trolling it is easier. That will change over time,
not least because China’s economy is expanding
and becoming increasingly dependent on the Inter-
net for growth and, thus, will eventually need to
open up. Indeed, Chinese business wants inno-
vation in this space, and China’s military—the
People’s Liberation Army (PLA)—wants to become
a Net-centric fighting force. It wants to look like
the United States, so it is developing relevant
capabilities.
Over time, this race to match U.S. technological
superiority might lead to what was referred to
earlier as mutually assured disruption (MAD),
with both sides considering nonaggressive action
in cyberspace as the best course. For now, how-
ever, China still sees the United States as the more
vulnerable, which could very well lead to reckless
Volume 35, Number 1, 2013 53
behavior triggering or escalating an existing crisis.
The Chinese see taking out U.S. systems as a
low-cost endeavor. Accordingly, the United States
will need to determine how to signal that this is
not the case.
China’s behavior may change over time because
(even though there is currently no evidence) factions
might emerge within its government who believe
that hacking long term is not in China’s interest and
that creating their own standards and cutting them-
selves off from the rest of the world is not going to
help China’s growth. These factions might push for
more openness. In addition, there are also those
who do consider (and worry about) China’s relation-
ship with the United States, the EU, and Japan—the
country’s most important economic partners.
On a final note, the speaker stressed the impor-
tance of examining how China participates at the
global level. China is no longer a revolutionary
power or state; rather, it is a status quo power and
generally does not like portraying itself as playing
outside the global order. This became very clear with
the issue of proliferation. China’s behavior was and is
not perfect in certain decisions about Iran, but track-
ing China’s behavior in missile control shows that
their behavior at the international level has shifted.
Looking to the future, the main challenge will be to
determine whether we can define common norms
with China for operating in cyberspace. The speaker
noted that the United States has been actively
attempting to do so. The signals, however, are not
particularly encouraging. For example, a couple of
weeks ago, Harold Koh, a State Department legal
adviser, gave a speech on the Laws of Armed Conflict
(LOAC) and their applicability to cyberspace, noting
that the U.S. position is that they are applicable.14
China, on the other hand, believes that the LOAC
do not apply to cyberspace; that cyberspace is
a new area and that new treaties are required.15
These opposing positions are difficult to bridge. In
the long term, what will be more important will be
to bring emerging large democracies such as India,
Brazil, Indonesia, and South Africa on board and
focus discussions on values and reaching common
ground on norms. These are all long-term goals
and will take some time to achieve. In the short term,
the speaker recommended that the United States
focus on developing resilience and defenses and
identifying entry points for working with China.
QUESTION AND ANSWER SESSION
On China
The first question raised the issue of China’s efforts
in cyberspace and whether these are centralized or
coming from different quarters; whether the United
States is aware of the people involved; and whether
efforts have been made to recruit them. One of the
speakers noted that to his knowledge, strategic goals
are set at the top, but below that, control and coher-
ence of effort are more complicated despite China’s
centralized and heavily controlled political structure.
What is apparent, however, is the merging of crimi-
nalized and espionage networks. Signals intelligence
(SIGINT) could possibly help identify individuals
and networks as they all must log in and log out of
systems at some stage. If individuals are identified,
sanctions could be used against them. To date, the
United States has a mediocre record at both identify-
ing and recruiting Chinese hackers.
On the Advantages and
Disadvantages of Operating in a
‘‘Cyber Jungle’’
One of the participants commented on how the
United States, China, and Russia tend to demonstrate
intractability on different cyber-related issues in a
range of fora, including on cyberterrorism, cyber-
crime, and cyberwarfare. For example, Russia has
been pushing for the adoption of an international
convention that includes references to terrorism and
cybercrime, as well as to broader conflict.16 The
U.S. position is that such a convention is unnecessary
as these issues are already addressed in existing treat-
ies and conventions. Meanwhile, the private sector
has emphasized that the United States has no interest
in regulating cyberspace since the United States ben-
efits more than any other country from the cyber-
space ‘‘jungle,’’ from the ‘‘fog’’ or ‘‘chaos’’ that has
emerged in relation to the domain. The United States
is more advanced in terms of offensive capabilities,
has more effective penetrating capabilities, and,
therefore, has limited interest in regulating the space.
The United States also has other advantages in the
cyber ‘‘jungle,’’ including that cyber platforms, the
Internet in particular, allow the United States to pro-
mote democracy in parts of the world where political
54 American Foreign Policy Interests
leaders are trying to censor information. Without this
‘‘jungle,’’ the Arab Spring might not have come about.
Both China and Iran are deeply concerned about this
‘‘jungle’’ and are trying to contain it.
The participant then questioned whether the
United States is really a victim, as it often makes itself
out to be [referencing Secretary Panetta’s speech on
an imminent ‘‘cyber Pearl Harbor’’] or whether it actu-
ally has the upper hand and really just has to lower
the risks involved and upgrade the advantages.
Speakers responded that, indeed, countries like China
and Russia also take advantage of the ‘‘jungle’’ that is
cyberspace as it allows them to engage in actions that
would otherwise be unacceptable. One speaker in
particular emphasized that it is, however, important
to remedy some of the chaos, to give some order to
the ‘‘jungle’’ so we can actually see what is happening
in cyberspace. It is an awkward position—U.S.
foreign policy (like that of China, Russia, and others)
prefers the smoke as it covers otherwise unacceptable
actions, but officially and diplomatically, the United
States must maintain the stance that there are different
ways of seeking solutions.
On the Role of the Private Sector
One of the participants raised the question of what
private sector companies—Google, Microsoft, Veri-
zon, and so on—are actually thinking and doing about
cyberthreats. One of the speakers responded that their
voices are becoming part of the crucial conversation,
and they are increasingly insisting that the Internet
should not be regulated or locked down through
treaties and conventions—especially in the context
of international peace and security, where the role
technology companies play is unclear. Other ques-
tions that remained unanswered related to the role
of the private sector in cyberdiplomacy and in discus-
sions on international treaties, and so on with the
insistence that something new needs to be developed.
At the operational level, more discussion on the
role of the private sector is urgently needed as com-
panies do not necessarily want to become comba-
tants, yet are heavily involved in defending systems
or are increasingly asked by government to remove
content or defend sites from specific content. Some
firms are becoming involved in offense, operating
like mercenaries or defense contractors, and making
money from the alleged threat of ‘‘cyberwar.’’
On the Role of the Military
Questions were also raised about the role of the
military in responding to cyberchallenges, not least
because the United States and Russia generally
send military representatives to meetings attended,
for the most part, by law enforcement and intelligence
representatives. One of the speakers stressed that, at
least in relation to the United States, the Department
of Defense is deeply involved because it has been
the target of attacks since as early as 1998 and has
developed significant expertise in the areas of defense,
offense, exploitation, and resilience. The Department
of Homeland Security was only established in 2003
and is still developing expertise in these areas.
Another participant raised the question of whether
the United States currently has the capabilities to
fight and win a simultaneous pre-emptive cyberwar
against Russia and China. One speaker responded
that the United States does have tremendous capa-
bilities and has been developing them over the past
fourteen years, but other countries are also develop-
ing them.17 How a pre-emptive attack would play
out is unclear, however.
On the Role of the Legislature and
Lessons from Other Regimes
One of the participants raised the question of
whether too much is being made of the extent of
the threat in cyberspace, referring to similar concerns
that emerged about the creeping weaponization of
outer space and unfounded warnings of a potential
‘‘Pearl Harbor’’ in outer space just a decade ago.18
The participant also questioned whether the current
use of a war lexicon—cyberwar, deterrence, cyber
MAD, cyber cold war, hot war, and so on—is push-
ing the militarization of the domain as had been
the case with outer space. Regarding the role of Con-
gress, the participant questioned what the current
political will is in relation to responding to cyber-
threats, suggesting that lessons might be drawn from
the Nunn-Lugar legislation on Cooperative Threat
Reduction (CTR). This legislation addressed itself
predominantly to the United States and Russia draw-
ing down nuclear arsenals after the cold war.19
Today, discussions are being held on the possibility
of extending the Nunn-Lugar CTR package to include
coalitions of like-minded nations. With obvious
Volume 35, Number 1, 2013 55
differences, the term ‘‘CTR’’ certainly seems to apply
to the cyber-arena. In this regard, the participant
questioned whether there is any impetus in Congress
to adopt some form of a CTR for cyberspace? Is there
political will to do so? Is it a feasible proposition?
One of the speakers responded that given the
current impasses in Congress on cyber-related
legislation, a CTR for cyberspace is highly unlikely.
At present, the only point there has been agreement
on, and which flows through each of the 40þ pieces
of legislation being debated in Congress, is the
provision to share information between the private
and public sectors. However, the actual scope of
information sharing is bogging down even that
agreement. In addition, major differences have
emerged between those who are pro-standards and
recommendations and others, such as the U.S.
Chamber of Commerce, that oppose standards and
recommendations. The question of who is respon-
sible for protecting civilian infrastructure also
remains a challenge.
Another participant raised the issue of awareness
of the challenges within Congress. Speakers high-
lighted the challenges of working with staffers within
the Senate. The National Cyber Security Alliance
(NCSA) established Cyber Security Awareness Month
and is also engaging members of Congress and staf-
fers through workshops, and so on. Staffers are ulti-
mately responsible for drafting legislation, but most
senators’ briefings by the intelligence services are
classified, thus staffers are not privy to vital infor-
mation. Reference was also made to the importance
of developing public–private partnerships at the state
and city levels—including as a means to share the
cost burdens of responding to cyberattacks.
At the international level, and as noted earlier,
Track 1.5 and Track 2 diplomacy processes can play
a significant role, as they can foster dialogue on these
issues in support of formal diplomatic processes,
such as the U.S.–Russia agreement to establish a
cyber ‘‘hotline’’—a crisis communications line similar
to the one established during the cold war. The
Nunn-Lugar process started through Track 1 and
Track 2 processes and gradually led to the CTR.
One participant raised the question of whether,
given its experience in Track 2 processes, NCAFP
could play a role, particularly in fostering dialogue
with China on cyber issues as it is evident that crisis
communication is not in place.
Speakers responded that even discussions in
Washington about cyber-incident response plans
are more focused on domestic responses rather than
international responses and that much more struc-
tured dialogue at the international level is required.
Discussions with China have already commenced
on pre-positioning and how and who to engage,
but it is clearly an area where the NCAFP could also
play a role. Working with like-minded countries such
as Australia could also be advantageous. Another
speaker stressed the importance of linking to govern-
ment efforts, at least partly because if Track 2 efforts
are to be useful, it is important to understand what
discussions are already under way. That knowledge
would help define entry points and assess the added
value of engaging; it would also enable analysts
and participants to report on the outcome of dis-
cussions. A forthcoming EWI report, ‘‘Priorities for
International Communications,’’ will be able to shed
additional light on potential entry points for Track 2
processes.
Examples of ongoing formal diplomatic processes
at the international level that require further discussion
in order to understand their implications include: the
work of the Group of Governmental Experts (GGE)
taking place within the UN General Assembly’s First
Committee on Disarmament Affairs, which is focusing
on reaching agreement on norms and confidence-
building measures in cyberspace,20 regional-level
discussions that the Organization for Security and
Co-operation in Europe (OSCE), the ASEAN Regional
Forum (ARF) are hosting on confidence-building
measures and other related issues.
THE HOST, THE PRESENTERS, AND
OTHER PARTICIPANTS
The Host
Dr. George D. Schwab
President, NCAFP
The Presenters
The Honorable Franklin D. Kramer
Distinguished Fellow, Atlantic Council
Lt. General Harry D. Raduege, Jr. (USAF, Ret.)
Chairman, Deloitte Center for Cyber Innovation
56 American Foreign Policy Interests
Marcus H. Sachs
Vice President of National Security Policy, Verizon
Communications
Dr. Adam Segal
Maurice R. Greenberg Senior Fellow, Council on
Foreign
Relations
Other Participants
Professor Giuseppe Ammendola
New York University
Mr. Kevin Backus
Director of Equities Research and Trading, BGC
Financial
Mr. Randolph Bell
Managing Director, The International Institute for
Strategic Studies–U.S.
Mr. Carter Booth
Trustee, NCAFP
Mr. Sidney J. Caspersen
Assistant Commissioner, NYPD
John V. Connorton, Jr., Esq.
Trustee, NCAFP, and
Partner, Hawkins Delafield &
Wood LLP
Captain Peter A. Garvin
Military Fellow, U.S. Navy, Council on Foreign
Relations
Mr. Thomas Glynn
Captain, NYPD
Mr. Thomas E. Graham
Managing Director, Kissinger Associates, Inc.
Ms. Edythe M. Holbrook
Trustee, NCAFP
Richard R. Howe, Esq.
Trustee and Treasurer, NCAFP
Mr. David P. Hunt
Chairman, Charles Pratt & Co.
Ms. Angela Kane
High Representative for Disarmament Affairs, United
Nations
Ms. Camino Kavanagh
PhD Candidate, Department of War Studies, Kings
College Fellow, Canada Center for Global Security
Studies, Munk School, University of Toronto
Mr. Igor Kharkov
NETSEC Group Manager, Thomson Reuters
Mr. Peter Maass
Author and Journalist
Ms. Hatice U. Morrissey
Vice President, Trustee, NCAFP
The Honorable Matthew Nimetz
Trustee, NCAFP, and
Advisory Director, General Atlantic
Mr. Charles Ortel
Managing Partner, Newport Value Partners, LLC
Ms. Missy Owens
Director of Public Affairs and Government Relations,
The Coca-Cola Company
Mr. William M. Rudolf
Executive Vice President, NCAFP
Dr. David Scharia
Security Council Terrorism Committee Executive
Directorate, United Nations
Mr. David C. Speedie
Senior Fellow and Director, U.S. Global Engagement,
Carnegie Council
Notes
1. See http://www.nytimes.com/2012/10/12/world/panetta-
warns-of-dire-threat-of-cyberattack.html?pagewanted=all.
2. http://www.fbi.gov/news/testimony/cybersecurity-responding-
to-the-threat-of-cyber-crime-and-terrorism.
3. The top four mitigation strategies referred to are: (i) patching
systems; (ii) restricting administrative privileges; (iii) appli-
cation white-listing; and (iv) creating a defense in-depth
system. See www.dsd.gov.au/publications/Top4 Mitigation
Strategies to Protect Your ICT System .
Volume 35, Number 1, 2013 57
4. The Financial Stability Board (FSB) was established to coordi-
nate, at the international level, the work of national financial
authorities and international standard-setting bodies and to
develop and promote the implementation of effective regula-
tory, supervisory, and other financial sector policies in the inter-
est of financial stability. See www.financialstabilityboard.org.
5. Article 230(b) of the Telecommunications Act of 1996 states
that it is the policy of the United States, ‘‘to promote the con-
tinued development of the Internet and other interactive
computer services and other interactive media [and] to pre-
serve the vibrant and competitive free market that presently
exists for the Internet and other interactive computer services,
unfettered by Federal or State regulation.’’
6. ITRs serve as ‘‘the binding global treaty outlining the princi-
ples which govern the way international voice, data and
video traffic is handled, and which lay the foundation for
ongoing innovation and market growth.’’ According to the
ITU website, ‘‘[t]he ITRs were last negotiated in Melbourne,
Australia, in 1988, and there is broad consensus that the text
now needs to be updated to reflect the dramatically different
information and communication technology (ICT) land-
scape of the twenty-first century.’’ See http://www.itu.int/
en/wcit-12/Pages/default.aspx.
7. While it was initially assumed that the attacks emanated
from a state actor or terrorist group, operation Solar Sunrise
investigations revealed that the attackers were actually two
teenagers from California and one from Israel. For further
information, see http://www.wired.com/threatlevel/2008/
09/video-solar-sun/.
8. Multi-Protocol Label Switching.
9. This statement was made by U.S. Army Gen. Keith B. Alexan-
der, Director of the National Security Agency (NSA) and
Commander of the USCYBERCOMMAND at an American
Enterprise Institute (AEI) event on July 9, 2012.
10. Defense Secretary Panetta spoke of an imminent ‘‘cyber
Pearl Harbor,’’ warning that the United States was ‘‘increas-
ingly vulnerable to foreign computer hackers who could
dismantle the nation’s power grid, transportation system,
financial networks and government.’’ The speech was given
at an event held at the Intrepid Sea, Air and Space Museum
in New York on October 11, 2012. See http://www.nytimes.
com/2012/10/12/world/panetta-warns-of-dire-threat-of-
cyberattack.html?pagewanted=all&_r=0.
11. Harvard Professor and strategist Joseph Nye has talked about
‘‘high-cost’’ cyberdeterrence strategies such as ‘‘naming and
shaming’’ the country where the attack originated: A country
that engages in such attacks might be regarded as a risky place
to do business, to invest, to keep one’s money. He notes, how-
ever, that making that kind of subtle deterrence work requires
a much better ability to attribute an attack to a specific nation,
and maybe to specific actors inside that nation. David E.
Sanger (June 5, 2012), Confront and Conceal: Obama’s Secret
Wars and Surprising Use of American Power (Kindle Locations
4280–4282). Random House, Inc., Kindle Edition.
12. For example, both China and Russia were openly named
in the Annual Report to Congress on Foreign Economic Col-
lection and Industrial Espionage published in November
2011 by the Office of the Director of National Intelligence.
13. http://www.ewi.info/fighting-spam-build-trust.
14. See remarks of Harold Hongju Koh, the U.S. Department of
State’s Legal Advisor on ‘‘International Law in Cyberspace’’
at the USCYBERCOM Inter-Agency Legal Conference, Ft.
Meade, MD, September 18, 2012, at http://www.state.
gov/s/l/releases/remarks/197924.htm.
15. In November 2011, China and Russia backed by Takikistan
and Uzbekistan tabled a proposal for an International Code
of Conduct for Information Security. The Chinese–Russian
proposal discusses the security challenges cyberspace
presents to the international community and proposes the
need to establish rights and responsibilities of states in pro-
tecting information networks and cybernetworks. The
proposal says states should respect domestic laws and sover-
eignty, but also calls for a multilateral approach within the
framework of the United Nations to establish international
norms and settle disputes about cyberspace. See the Letter
to the UN General Assembly from China, Russia, Tajikistan
and Uzbekistan at http://www.citizenlab.org/cybernorms/
letter .
16. In addition to the aforementioned Code of Conduct that
tabled with China, Russia has also developed a draft con-
cept for a Convention on International Information Security.
Presented to an international meeting on information
security in September 2011, the draft convention focuses
on provisions to reduce information flows that could pro-
duce social unrest or other destabilization in countries.
For the draft convention, see http://www.citizenlab.org/
cybernorms/russian .
17. UNIDIR and CSIS are currently undertaking an assessment of
national capabilities, doctrine, organization, and building
transparency and confidence for cybersecurity.
18. A presidential commission chaired by former Secretary of
Defense Donald Rumsfeld warned in 2001 that the United
States is ‘‘a prime candidate for a space Pearl Harbor.’’
19. See http://www.dtra.mil/Missions/nunn-lugar/nunn-lugar-
home.aspx.
20. See the following articles for additional background on the UN
GGE process: http://www.unidir.org/bdd/fiche-article.php?
ref_article=3179; http://munkschool.utoronto.ca/canadacentre/
research/developments-in-the-field-of-information-and-teleco-
mmunication-in-the-context-of-international-security-work-of-
the-un-first-committee-1998-2012/; and http://belfercenter.
ksg.harvard.edu/files/maurer-cyber-norm-dp-2011-11-final .
58 American Foreign Policy Interests
Copyright of American Foreign Policy Interests is the property of Routledge and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder’s express written permission.
However, users may print, download, or email articles for individual use.
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–1011
www.palgrave.com/journals
Original Article
Adrian Venables*, Siraj Ahmed Shaikh and James Shuttleworth
Coventry University, Coventry, CV1 5FB, UK
*Corresponding author.
Abstract Cyberspace and cyberpower are terms that are increasingly used in common parlance,
but are notoriously difficult to define and measure. This article builds on previous work defining
the properties of cyberspace in terms of vertical layers, which when combined with a representa-
tion of distance presents a three-dimensional model. The unique attributes of cyberspace can be
harnessed for power projection, the aim of which is ultimately to alter the behaviour of indivi-
duals. Although cyberspace has yet to be used as a medium to demonstrate conventional hard
power of coercion and threats supported by physical force, it does present a suitable medium for
the projection of soft power of attraction and imitation. These are defined within the context of the
online environment and by drawing on the techniques used to optimise Web-based commerce,
potential methods of implementing and measuring the success of a campaign of cyberpower pro-
jection are proposed.
Keywords: cyberpower; soft power; social media; e-commerce; measures of effectiveness
Power and Cyberpower
According to Dahl (1957), the aim of a campaign to project power and influence is to
affect the behaviour of people such that A can be regarded as having power over B to the
extent that he can get B to do something that B would not otherwise do. This was
expanded on by Nye (2010), who in noting that the concepts are elusive to define and
measure, describes their aim as being to affect the behaviour of an individual to act in a
way that they would not otherwise do, to shape the preferences of others by determining
their wants or by setting agendas through external actions or persuasion. This power can
be targeted as precisely as to a single individual or small group, such as the European
Union sanctions against the leadership in Zimbabwe (BBC News, 2002) or to an entire
population as exemplified by radio propaganda broadcasts during the Second World War
(Concho, 2004).
Traditionally a state’s national power was considered to be dependent upon factors such
as geography, national resources, population size or wealth as these were regarded as
the constituent elements required for the creation of military power (Tellis et al, 2000).
The ability of a nation to be able to protect its own borders from attack while demonstrably
Security Journal (2017) 30, 1000—1011. doi:10.1057/sj.2015.35;
published online 2 November 2015
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–1011 1001
The projection and measurement of cyberpower
threatening a neighbour was seen as the ultimate symbol of national strength. In the post-
industrial age, definitions of national power began to introduce the notion of a knowledge
revolution that foreshadowed the growth in importance of the role of information technology
and innovation in society. However, Tellis et al (2000) comments that these were ultimately
seen as contributory factors in the generation of a country’s financial wealth that could be
converted into military capability if needed.
The emergence of cyberspace and the concept of cyberpower require an evaluation of the
definition of how power and influence can be projected in an interconnected world.
As cyberspace has no physical boundaries, nations do not have territory to protect or ways
to threaten a neighbour’s borders and natural resources using the conventional definitions of
power projection. Therefore new ways are needed to be able to define power in order to be
able to use the medium to influence and shape the behaviour of others. Defining cyberspace
has attracted much debate, particularly for the military, which is keen to emphasise its
uniqueness to attract new funding in order to explore the opportunities it has to offer.
The UK Ministry of Defence’s Development, Concepts and Doctrine Centre (2013) and US
Department of Defence (2007) provide similar descriptions emphasising its interdependence
on a range of constituent elements such as networks, computer systems and embedded
controllers. A different approach is however proposed by Sheldon (2011), who defines
cyberspace in terms of four vertical layers, which are described as follows with proposed
indices of how they can be measured.
Infrastructure layer: The physical aspects of cyberspace, which incorporates compu-
ter hardware, servers, networking components, cabling, satellites and other dedicated
facilities. This also includes those devices that users interact with, such as PCs, laptops,
tablets and smart phones. This layer could be measured by the proportion of the
population with access to the Internet, average time between users upgrading hardware,
levels of smart phone ownership, the number of Internet Service Providers (ISPs)
relative to the population and the number of international gateways providing global
connectivity.
Physical layer: Features that are governed by physics and comprise the properties
associated with the transfer of data across the infrastructure layer. These include the
characteristics of the electromagnetic spectrum such as the passage of photons in fibre-
optic cables, electrons in cablings and wireless propagation from short-range Bluetooth
communication to international satellite links. Measurements of this layer could incorpo-
rate the proportion of the nation served by copper cable compared with high-speed
fibre-optic cable, number of Wi-Fi hotspots per head of population, mobile phone
coverage, average data consumption per subscriber and the cost of access compared with
average national salary.
Syntactic layer: The manner in which data is formatted to facilitate communication
between and within components of the infrastructure layer. This includes communication
protocols, software components and network routing algorithms. Measurements could
include the level of encryption routinely employed, the proportion of computers protected
by anti-virus and the levels of infected machines, degree of network prioritisation (Net
neutrality) and the number of Domain name registrations.
Semantic layer: This component enables human users to make sense of the information
and for it to become useful to them. This includes elements such as the type and popularity of
user interfaces, application software, as well as the linguistic, cultural and human factor
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–10111002
Venables et al
considerations employed in their design. Measurement indices include the proportion of
gross domestic product from online business, percentage of web pages produced in the
indigenous language, percentage of population who are active social network users, levels of
cybercrime and the amount and effectiveness of legislation and enforcement.
To this four-layer model of cyberspace, we add an additional human element as we
consider it fundamental to the nature and understanding of cyberspace and cyberpower. This
is because the domain is dependent upon man and, unlike the other environments with which
it is often compared, land, sea, air and space, it requires human intervention for its creation,
maintenance, exploitation and ultimately its destruction. Furthermore, the interpretation of
the semantic layer, which provides information that is useful and understandable to human
operators, has to be variously tailored to suit the needs of the end user and will need to
accommodate factors such as language and culture. This has been recognised with the
development of human–computer interaction as a multidisciplinary field in which psychol-
ogy and other social sciences unite with computer science and related technical fields with
the goal of making computing systems that are both useful and usable.
When viewed in this context cyberpower can be described in terms of the level of control
of these layers, noting that power over one does not result in governance of all. The ability to
quantitatively measure a range of variables within each layer could be used to produce a
comparative index of power. These could then enable a relative position against an economic
competitor or military adversary to be calculated. Specific areas that are shown to be
comparatively weak can then provide an indication of where effort needs to be concentrated
to improve performance.
In addition to defining cyberspace in terms of vertical layers, it can also be considered
horizontally in terms of Near, Mid and Far geographic operating space. These are described in
Table 1 and are based on those defined in the UK Ministry of Defence’s ‘Cyber Primer’
(MoD, 2013a, b). Control of the local Near space is vital to protect national or local interests
and through the ‘no man’s land’ of Mid space, power is projected into Far space, which will be
the Near space of a target country or competitor. An analysis of an adversary’s strengths and
weaknesses in each of these three areas can provide information on possible attack vectors that
can be utilised to reduce their influence and ability to operate freely in cyberspace.
In combining these five layers with the concepts of Near, Mid and Far space, cyberspace
can be redefined in three dimensions as shown in Figure 1. This can be used to illustrate that
although cyberpower may be exercised in some elements of the domain, it does not
guarantee control of all, and that some techniques targeting a particular aspect may only have
a limited overall effect against an adversary. This model also enables attacks to be
Table 1: The three horizontal layers of cyberspace
Environment Description
Near space Local networks and systems that are considered vital to support critical national infrastructure and
services and are assumed to be controlled and protected by national or governmental agencies
Mid space Networks and systems critical to access global cyberspace but over which there is no local control or
protection. Typically these may be geographically distant and owned by a foreign commercial
company or a third party state
Far space Networks and systems that form a competitor or adversary’s near space and which must be influenced
or controlled as part of a campaign to project power and influence through cyberspace
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–1011 1003
The projection and measurement of cyberpower
appreciated in terms of their intended areas of effect and for the defender an appreciation of
where the greatest risk to their organisation lies.
To demonstrate how our model of cyberspace can be applied in practice, Table 2
illustrates how each component can be defined in terms of a national government’s attempt
through the use of video clips on social media to influence European-born Jihadists who have
travelled to the Middle East to return to the West. In this case the targets have been identified
as predominantly using mobile telephony and are active on a variety of social media
platforms. Of note is the inclusion of anonymous hacktivists operating in Mid Space who
have been active in the disruption of extremist media platforms through their #OPIsis
campaign (Sullivan, 2015).
The Development of Soft Power in Cyberspace
Control of the vertical and horizontal layers of cyberspace described above is fundamental to
enable power and influence to be exerted. This can be directed both inwards towards a local
target population in Near space as well as to a target in Far space. The ability to effectively
Figure 1: Three-dimensional model of cyberspace.
Table 2: Illustrative components of cyberspace
Near space Mid space Far space
Human Government Employee ‘Anonymous’ Hacktivist Jihadist
Semantic Video production Software Routing software Social media application
Syntactic MPEG-4 video format Transmission Control Protocol (TCP)/
Internet Protocol (IP)
MPEG-4 video format
Physical Electrons in Ethernet cable
and light in fibre-optic
cable
Light in fibre-optic cable and radio
frequency communication within
satellite and microwave links
Radio frequency
communication within
mobile telephone
networks
Infrastructure Video production suite,
desktop computer and
Local Area Network
Microwave and satellite link, fibre-optic
undersea cable and ISP infrastructure
Mobile telephone network
and smart phone
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–10111004
Venables et al
translate cyberpower into an effect in the physical domain requires a clear understanding of
what objectives are desired and how success or failure can be determined. Any cyber strategy
must be fully coherent with the wider policy aims of the physical world as cyberspace and
cyberpower do not exist in isolation and any actions must be part of a wider political
objective and campaign plan.
Projecting power through cyberspace differs from that of the traditional concept of military
‘hard’ power, which seeks to change behaviour through direct inducements of threats and
coercion (Nye, 2010). Although methods of measuring the potential effectiveness of
conventional military forces based on their known or estimated capability are well established,
to date there has not been a fully attributed nation on nation cyber attack (Rid, 2012). This has
led analysts to only be able to speculate on a country’s capabilities and how a cyber conflict
may unfold and what effects may be achieved. However, several countries have already stated
that they are engaged in the militarisation of cyberspace, indicating that they are preparing to be
able to engage in offensive cyber operations, which may act as a credible deterrent to future
attacks. The UK Ministry of Defence (2013a, b) has announced its intention to build a counter-
attack capability and China has reportedly had cyber warfare units since 2003 with the US
Cyber Command achieving an initial operating capability in 2013 (Nato, 2009).
An alternative to the methods of military hard power to achieve national objectives is to
adopt the concept of soft power developed by Nye (1991). Soft power targets human factors
and aims to ‘get others to want the outcomes that you want’ through the power of attraction,
which includes non-material means such as culture, political values and foreign policies
(Treverton and Jones, 2000). After a decade of military operations in the Middle East, which
it may be argued has produced unclear outcomes, the benefits of soft power as the policy of
attraction over coercion are seen as offering an alternative means to achieve national
objectives. According to Nye (2004), the countries that are most likely to gain soft power
should display the following three attributes to optimise their attraction on the global stage:
● Their dominant culture and ideas should align to the prevailing global norms, which include
liberalism, pluralism and autonomy. This sets the standard to which other countries might
seek to attain, including a structure that enables free debate and an active engagement across
a range of diverse topics with individuals able to make informed, un-coerced decisions.
However, these can be viewed as being very much western ideals and it can be argued that to
gain soft power in countries without these traditions or ambitions it is necessary instead to
meet local norms that the target population may be familiar with and aspire to.
● Second, to be able to effectively disseminate the desired message it is necessary to have
access to multiple channels of communication to enable influence to be exerted over a
wide range of media. To provide a coherent message, this must be available through the
entire range of media types that the target has access to.
● Finally, for a country to gain soft power, it must be seen to be credible in terms of its domestic
and international performance so as to be attractive to the target it wishes to influence.
This requires the influencing country to be highly regarded, trustworthy and be seen to
have a good reputation on the world state in terms of its national values and behaviour.
Further research by Kroenig et al (2010) into the concept of soft power suggests that to be
successful, states must communicate to their intended targets in a ‘functioning market place
of ideas’ where there is a competition of messages free from state influence. This would
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–1011 1005
The projection and measurement of cyberpower
include such forces and mechanisms as censorship and propaganda. In addition, they
propose that the target must be potentially receptive to the message, which must be credible,
attractive, repeated and contain emotional content. It must therefore be a carefully tailored
campaign directed at those who are amenable to the message and be able to influence
decision makers. However, as noted by Hall and Smith (2013), soft power cannot
compensate for what may be regarded as other unattractive national policies as has been
seen in China, where despite a substantial investment in soft power projection, evidence has
been used to demonstrate that it has had little or no positive effect on how the country is
perceived by its neighbours.
The role of soft power in the projection of the UK’s national power was recognised in
2013 by the appointment of a House of Lords Committee to determine how it could be
deployed in the national interest. The ability of cyberspace to reach large numbers of people
was highlighted in the report by the rise in urbanisation leading to large concentrations of
people in relatively small areas becoming intimately connected by electronic means and
more aware of 24-hour broadcasting and social media (House of Lords, 2014a). The impact
of this was highlighted by Fuchs (2012) in the role of BlackBerry Messenger and Twitter in
the 2011 London riots, with both the Prime Minister and Home Secretary making particular
reference to their role in organising the disturbances and countering the Police reaction. The
link between rolling news services and social media was also more recently exemplified by
Whitehead and Evans (2014) when a Qatari airliner was subject to a hoax bomb threat.
Although the passengers were not told of the situation, it was broadcast on national news and
subsequently on Twitter, which was being monitored by those on board. It is significant that
in this potentially dangerous situation, those most affected were not being informed of events
by the flight crew, but by journalists and members of the public on the ground.
Although soft power is clearly an attractive concept, the battle for hearts and minds in a
cooperative framework only works when the target is amenable to the message. Examples in
which it has failed include Kuwait in 1991 when only decisive military force was effective
and it has been noted by Greenwald (2010) as so far having a negligible effect on Islamic
militants in the Middle East. Using the example of Russian activity in Georgia and Ukraine
he noted that it also has a tendency to fail when the target is able to either block or effectively
counter the message with its own information campaign. Furthermore, once it becomes clear
that there is no plan to recourse to hard power, either economic or military, a policy that
relies on soft power alone will fail, with the result that an adversary will take advantage of a
lack of a credible military threat for their own ends.
These limitations of deploying soft power alone were recognised by Nye (2009) in the
development of the concept of smart power, which is the combination of hard power
coercion and payment with the soft power attributes of persuasion and attraction – the use of
carrot and stick, which to be most effective should be mutually reinforcing. Thus the
effective use of technology and information combined with conventional military power can
act as a force enabler so long as their strengths and limitations are well understood.
Projecting Power in Cyberspace
Although conventional military hard power that results in direct destruction and harm
through cyberspace has yet to be demonstrated, the use of intimidation and coercion to exert
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–10111006
Venables et al
power has been ably demonstrated by the Islamic State in Iraq and the Levant (ISIL) through
its media campaign (Lister, 2014). Directly in contravention of the traditional theory of soft
power’s attraction and appeal to wider cultural norms, their prominent videos of beheadings
and the promotion of an extremist ideology have been widely disseminated. By broadcasting
news of their latest atrocity around the world through multiple channels, including the
Internet, their message has been further disseminated through social media and blogs. This
effectively increases their exposure beyond their initial audience, with the opportunity to
reach future potential converts to their cause. Images censored by traditional media are
readily available online in their original format and may be seen to play a role in effectively
inspiring the radicalised at home and abroad, while demonstrating the consequences of
dissent to those already living under its regime. The quantity of images published online may
also act to normalise these acts of terror, desensitising potential perpetrators from consider-
ing these actions abnormal and extreme.
Although the longer-term impact of ISIL’s campaign of hard power in cyberspace has yet
to be fully analysed, there are already examples of how effective a soft power campaign can
be on a receptive audience that is technologically literate and with a wide individual
ownership of devices capable of receiving the message. Barak Obama’s use of social media
as a tool of soft power proved particularly noteworthy in the 2008 presidential campaign.
In the previous 10 years US broadband Internet access had doubled to 55 per cent and social
networking technologies had matured, technology which Obama’s team fully exploited and
placed at the centre of their strategy. Although all the candidates hoping for the Democratic
party nomination had websites, he made better use of Twitter, text messages and Facebook to
proactively engage with his supporters in publicising his message, gaining supporters and
fund raising (Talbot, 2008).
At an international level, the House of Lords’ committee on soft power noted that a
country’s cultural reputation is seen as being an important element in the projection of power
and influence, with the role of national broadcasters particularly emphasised. In this respect
the British Broadcasting Corporation (BBC) was seen as a unique strength for the United
Kingdom predominantly due to its perceived independence from the Government, its
international services and the dominance of the English language worldwide (House of
Lords, 2014a). In particular, during his evidence to the committee, Nye stated that in an
information age soft power relies on communication and that it was not just whose army
wins, but also whose story wins that matters in exercising power (House of Lords, 2014b).
However, the power of the message may be lost if it is seen as promoting a specific national
message and the committee concluded that fundamental to gaining the trust of others and
promoting a sympathetic view of the United Kingdom is to promote characteristics that have
broad appeal. These must have attributes that are intrinsically linked to the United Kingdom,
yet are seen to be independent of government interference. Evidence of the power of the
BBC was noted by the committee in their final report by making specific reference to the
alleged jamming by the Iranian authorities of the satellite signal broadcasting its content
(House of Lords, 2014a).
An integral component of any campaign to influence behaviour is an understanding by the
target of the originator and their intentions. This may be clear when faced with military force
or a radio broadcast announcing its origin, but may be erroneous if it is part of a deception
plan. However, as Rid (2011) notes, quoting Clausewitz’s statement as war being an
extension of politics, attribution will always follow at some point in a conflict. Within
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–1011 1007
The projection and measurement of cyberpower
cyberspace though, attribution may not be straightforward and misinformation is rife. Social
media in particular has been noted as providing an environment in which individuals have
been deceived, sometimes with devastating personal consequences (Tsikerdekis and
Zeadally, 2014). Established media organisations and democratic governments with an
online presence strive to ensure the credibility of all information that they broadcast and that
it is not perceived as state-sponsored propaganda. To achieve this, it must be truthful and
open to corroboration, clearly attributable to the source and sensitive to local cultures and
religions (Nye, 2008). However, despite the efforts of reputable news organisations to
disseminate information, which to the best of their knowledge is unbiased and neutral, the
mass of conflicting information online can be problematic. Bastardi et al (2011) illustrated
that what people believed to be true and what they wish to be true can be very different with
people evaluating evidence in a biased manner. Examples demonstrated that where political
convictions are challenged by scientific studies, people derogate from the methodology used
or interpret the results differently to fit their preconceived beliefs.
In order to be able to influence a target audience, it is necessary to have not only a
compelling message, but also access to the target’s network infrastructure for its
dissemination. As noted by the OpenNet Initiative (ONI), which seeks to identify and
document Internet filtering and surveillance, network resilience is becoming an increas-
ingly important factor (opennet.net, 2014). In particular, the ONI notes that the content of
social media applications has attracted the attention of governments around the world and
some have sought to block selected elements of the sites or even shut off access entirely to
those that contain politically or socially sensitive content. An understanding of both the
level of censorship a target audience is subject to and their awareness of methods such as
proxies to circumvent them are an important aspect in any attempt to project power
through cyberspace.
Measuring the Effect of Cyberpower
Because of the inconsistency in how people interpret information and the potential bias in
how it may be understood, the House of Lords committee (2014a) echoed Nye (2010) in
noting that soft power cannot be applied instantaneously, but that it is a long-term activity
that must be carefully planned and implemented (House of Lords, 2014a). Influence and
affinity cannot be easily quantified and attempts to do so may result in measuring only those
aspects that can be more easily identified as discrete variables and not the more abstract
elements such as the effect of the message. Some matrices can be identified however, such as
those used in Obama’s successful Presidential election campaign, which were measured not
only in terms of monetary donations, but also through comparing the numbers of Twitter
followers of each candidate, which provided a direct indication of relative popularity as did
MySpace ‘friends’ and Facebook supporters (Talbot, 2008). Trends in web traffic and
Internet searches also provided indicators as to how the campaign was progressing towards
the all-important primaries. In addition to purely just measuring the number of followers in
Twitter, other methods have been used to determine the spread and impact of a message.
Research by Cha et al (2010) has shown that the use of hashtags that identify certain topics as
well as mentions and retweets can provide a more reliable indication of the influence of the
originator than comparing just the number of followers.
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–10111008
Venables et al
The use of social media in which users actively interact with the application by posting
their own messages and engaging with others’ readily lends itself to quantitative analysis.
However, methods also exist to measure user engagement with other methods of
communication such as websites in which there may be no direct data input. Many of the
techniques that can be applied to the measurement of a soft power message can be taken
from the domain of Internet commerce in which website visits are recorded and analysed
with the aim of optimising the user experience and increasing sales. Google analytics is a
facility that provides information about a website’s traffic and measures the number of
visits that results in actual sales. It can record in real time for later analysis how and
from where the user accessed the site, such as from search engines or social media, and
tracks their interaction with the pages while logging what material is downloaded
(Google Analytics, 2014). Since July 2014, Twitter has also provided a powerful facility
to investigate the use of its platform with its own analytics function that allows users
to discover who has viewed their Tweets and provides an overview of their profiles
(Twitter Analytics, 2014). Also commonly used by websites to aid their analysis of user
activity is the use of ‘cookies’, which are small non-executable harmless text files,
downloaded by web servers onto the devices accessing their websites. These can then be
used to provide user identification of the machine, record revisits, track browsing habits
and tailor the user experience accordingly. By measuring the number of visits and tracking
browsing habits within the site, ongoing and repeat interest in its contents can then be
gauged (Jegatheesan, 2013).
Although both widely used, Google analytics and cookies do require the acquiescence of
the user in allowing the use of scripting languages embedded in the websites to be executed
by their browser and permitting cookies to be downloaded. An alternative method, which is
purely server based, utilises monitoring software that tracks the mouse clicks and informa-
tion requests of visitors to a website (Kent et al, 2011). This records which pages have been
most accessed, what type of information is of most interest and the path that users take as
they navigate its pages and the time spent on each one. Web analytics software places no
information onto the visitors’ computers and no personal information is collected. It is
becoming regarded as an essential component of those with a commercial web presence, and
although designed and primarily used as a method of optimising the web experience of
potential customers, it has a potential use as a means of measuring the reaction to material
designed to spread a soft power message.
In addition to the methods used in optimising online commerce, there are also other
means available that could theoretically be used to project and measure the spread of soft
power. These originate from techniques used by the creators of malware and involve
activities that could be regarded as straying into the realm hard power and would have
significant legal and ethical constraints in their use. These draw on the methods used by
botnets to deliberately infect a target computer with executable code, which would then
report back to a command and control server. This could be achieved by the victim
clicking on a link within a website to download the code, or even by conducting a ‘drive-
by’ attack by just visiting a specifically designed page containing the malware using a
browser configured to grant access to scripting languages (Barwinski, 2005). This
spyware’s role could be as simple as reporting usage such as sites visited and material
downloaded, but it could also be used for a range of other activities more commonly
associated with malware, such as harvesting user credentials and directing users to fake
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–1011 1009
The projection and measurement of cyberpower
websites feeding false information or even rendering the machine itself inoperable. These
different tracking methods are summarised in Table 3.
All these methods are mature technologies and their ongoing development and current use
would be driven by the commercial need to understand how users interact with online
commerce or, in the case of the final method, for illicit purposes. Botnets were first recorded
in 1999 and have increased in complexity and sophistication to avoid detection; as a result
end users may not even be aware of their existence within their computers. This may
particularly be the case if their signatures are not included within the anti-virus software in
use and the communication to their command and control server remain unnoticed (Gassen
and Gerhards-Padilla, 2012).
The techniques used in commercial advertising to attract customers and increase revenue
have distinct parallels with the desire of both state and non-state actors to influence the
behaviour of a population as part of a strategy to project cyberpower. Both are intended to
alter the perception of their targets in order to conduct activities to the benefit of the
originator. Advertising is the ultimate in soft power – the power of attraction and imitation
with coercion and deterrence being an option used by those with a culture, doctrine or
religion to promote. If detected, the employment of malware to harvest information or direct
users to alternate sites would be seen as a provocative act by the target and depending on the
nature of the information disseminated and the political situation at the time may be seen as
an aggressive or possibly even a hostile act.
Conclusion
The pursuit of power has the ultimate aim of being able to control the behaviour and actions
of another, even if it is against their will. Traditionally, at the state level this has been
considered in terms of hard power using coercion and force with the potential of military
action the ultimate threat. However, with the application of attributed military force yet to be
displayed within cyberspace, the soft power of attraction and imitation has gained interest as
an alternative approach complemented by military force in the physical environment as part
of a coherent smart power strategy. Using cyberspace as the means of projecting soft power
involves both identifying and mapping the networks and infrastructure used to reach the
intended audience as well as the creation of a culturally compelling message. In this article
we have sought to describe a three-dimensional model of cyberspace that can be used to
identify and contextualise all the elements that need to be controlled to enable a target to be
successfully reached. In considering how soft power in cyberspace can be generated and the
means by which it can be delivered, we provide a method by which an assessment can be
Table 3: Methods of measuring web site interaction
Tracking method Where hosted Active or passive Invasive Site redirection
Google analytics Client/server Active Yes No
Cookies Client/server Passive Yes Yes
Web analytics Server Passive No No
Spyware Client Active Yes Yes
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–10111010
Venables et al
made of its potential success in reaching its intended audience as well as how an adversary’s
campaign can be interrupted.
Developing a soft power campaign is a challenging undertaking as it is requires a deep
understanding of a complex environment and, to be effective, must fulfil a range of criteria,
not least in that it must not be seen as state-sponsored propaganda. A key aspect of any
influence activity in cyberspace is a measurement of the penetration of the message within
the target audience and their response to it. Human factors play an important part as unless
the message can be accessed, understood and most importantly acted upon by the final
recipient of the message, the campaign will have been fruitless. By drawing on well-
established and mature technology designed to legitimately measure website interaction or
illicitly to develop malware we have proposed methods to measure the dissemination and
response to a soft power message in a target population.
References
Barwinski, M. (2005) Taxonomy of Spyware and Empirical Study of Network Drive-by-Downloads. Monterey, CA:
Naval Postgraduate School.
Bastardi, A., Uhlmann, E.L. and Ross, L. (2011) Wishful thinking: Belief, desire, and the motivated evaluation of
scientific evidence. Psychological Science 22(6): 731–732.
BBC News. (2002) EU agrees Zimbabwe sanctions. 18 February, http://news.bbc.co.uk/1/hi/world/africa/1827827.
stm, accessed 4 February 2015.
Cha, M., Haddadi, H., Benevenuto, F. and Gummadi, K. (2010) Measuring user influence in twitter: The million
follower fallacy. Proceedings of the Fourth International AAAI Conference on Weblogs and Social Media, AAAI
Press, Menco Park, CA.
Concho, C. (2004) Radio propagation during World War II. http://web.stanford.edu/class/e297a/WAR%20PRO-
PAGANDA.htm, accessed 4 February 2015.
Dahl, R. (1957) The concept of power. Behavioral Science 2(July): 202.
Department of Defense. (2007) Joint Publication 1-02 Dictionary of Military and Associated Terms.
Development, Concepts and Doctrine Centre. (2013) Joint Doctrine Note 3/13. Ministry of Defence, UK.
Fuchs, C. (2012) Behind the news. Social media, riots and revolutions. Capital and Class 19(3): 383.
Gassen, G. and Gerhards-Padilla, E. (2012) Current botnet-techniques and countermeasures. Praxis der Informa-
tionsverarbeitung und Kommunikation 35(1): 3–10.
Google Analytics. (2014) http://www.google.com/analytics, accessed 2 September 2014.
Greenwald, T. (2010) The soft-power fallacy. Commentary January.
Hall, I. and Smith, F. (2013) The struggle for soft power in Asia: Public diplomacy and regional competition. Asian
Security 9(1): 1–18.
House of Lords Select Committee on Soft Power and the UK’s Influence. (2014a) Report of Session 2013–14.
Persuasion and Power in the Modern World, HL Paper 150, London: The Stationery Office, March, pp. 33–53.
House of Lords Select Committee on Soft Power and the UK’s Influence. (2014b) Oral and Written Evidence.
Report of Session 2013–14, Persuasion and Power in the Modern World, HL Paper 150, London: The Stationery
Office, March, Vol 1. p. 122.
Jegatheesan, S. (2013) Cookies – Invading our privacy for marketing, advertising and security issues. International
Journal of Scientific and Engineering Research 4(5): 3.
Kent, M., Carr, B., Husted, R. and Pop, R. (2011) Learning web analytics: A tool for strategic communication.
Public Relations Review 37(5): 536–543.
Kroenig, M., McAdam, M. and Weber, S. (2010) Taking soft power seriously. Comparative Strategy 29(5): 412–431.
Lister, C. (2014) Profiling the Islamic state. The Brookings Institution, http://www.brookings.edu/~/media/Research/
Files/Reports/2014/11/profiling%20islamic%20state%20lister/en_web_lister , accessed 5 February 2014.
Ministry of Defence. (2013a) Cyber Primer. Development, Concepts and Doctrine Centre, UK, pp. 1–22.
Ministry of Defence. (2013b) New cyber reserve unit created. 29 September, https://www.gov.uk/government/news/
reserves-head-up-new-cyber-unit, accessed 5 August 2014.
© 2016 Macmillan Publishers Ltd. 0955-1662 Security Journal Vol. 30, 3, 1000–1011 1011
The projection and measurement of cyberpower
NATO Parliamentary Assembly. (2009) NATO and cyber defence, http://www.nato-pa.int/default.asp?
SHORTCUT=1782, accessed 5 August 2014.
Nye, Jr, J.S. (1991) Bound to Lead: The Changing Nature of American Power. Canada: Basic Books.
Nye, Jr, J.S. (2004) Power in The Global Information Age. Oxon, UK: Routledge, p. 90.
Nye, Jr, J.S. (2008) Public diplomacy and soft power. The Annals of the American Academy of Political and Social
Science 94(1): 109.
Nye, Jr, J.S. (2009) Get smart. Combining hard and soft power. Foreign Affairs July/August. http://www
.foreignaffairs.com/articles/65163/joseph-s-nye-jr/get-smart?page=1, accessed 3 September 2014.
Nye, Jr, J.S. (2010) Cyber power. Harvard Kennedy School, May, http://belfercenter.ksg.harvard.edu/files/cyber-
power , accessed 27 October 2013, p. 2.
Open Net Initiative. (2014) https://opennet.net/, accessed 3 September 2014.
Rid, T. (2011) Cyber war will not take place. Journal of Strategic Studies 35(1): 6.
Rid, T. (2012) Cyber-weapons. The RUSI Journal 157(1): 6–13.
Sheldon, J. (2011) Deciphering cyberpower. Strategic Studies Quarterly (Summer): 98.
Sullivan, B. (2015) Anonymous #OPIsis attackers take down ISIS twitter accounts, http://www.techweekeurope.co.
uk/security/cyberwar/anonymous-isis-hack-161671, accessed 19 February 2015.
Talbot, D. (2008) How Obama really did it. Technology Review Sep/Oct.
Tellis, A., Bially, J., Layne, C. and McPherson, M. (2000) Measuring National Power in the Post Industrial Age.
Santa Monica, CA: Rand, p. 5.
Treverton, G. and Jones, S. (2000) Measuring national power, RAND national security research division, http://
www.rand.org/content/dam/rand/pubs/conf_proceedings/2005/RAND_CF215 , accessed 5 August 2014.
Tsikerdekis, M. and Zeadally, S. (2014) Online Deception in Social Media, Library and Information Science
Faculty, Paper 12, University of Kentucky UKnowledge.
Twitter Analytics. (2014) http://www.analytics.twitter.com, accessed 2 September 2014.
Whitehead, T. and Evans, M. (2014) Passengers learn of bomb scare on twitter. The Telegraph 6 August.
Reproduced with permission of copyright owner. Further
reproduction prohibited without permission.
- The projection and measurement of cyberpower
Abstract
Power and Cyberpower
The Development of Soft Power in Cyberspace
Projecting Power in Cyberspace
Measuring the Effect of Cyberpower
Conclusion
References
Using APA styles format, In 800 words answer the following question below using the attached articles. Provide specific examples and citations from the articles to support questions.
1. What is the strategic importance of cyberspace and cyber-power to the United States?
2. What are the leading issues confronting policy makers with regard to cyberspace and cyber-power?
3. Can the US develop a cyber-strategy?
4. Does the US need a cyber-strategy?
5. What do you think the consequence for the US is if we do not address these issues?
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
