“Politicians should read science fiction, not westerns or detective stories.”
Arthur C. Clarke
As cyber issues become a more significant element of geopolitics, they attract more attention from policymakers. Today, those in positions of economic and political leadership are concerned for or with cyberspace. The crime, espionage, and warfare connected to the term cyber are widely discussed, but it was not long ago that one U.S. elected official was widely lampooned for describing the Internet as “a series of tubes,” seemingly unaware of how the metaphor applied.
For the last 20 years, governments around the world have largely left the Internet, the key technical infrastructure of cyberspace, alone, often providing subsidies and investment without heaping on regulation or taxation. The cyber attacks against Estonia in 2007, the Wikileaks episode, the digital components of the Arab Spring revolutions, and the Stuxnet campaign against the Iranian nuclear enrichment program each stand as markers in drawing the attention of the powerful beyond those in the technology industry itself. Microsoft founder Bill Gates recently argued at a conference in Houston, “Cyber security has been an issue for the last decade or so. But it’s getting more attention now and it should be getting more because it’s just now – or should be this way – being looked at in geopolitical terms.”
The international politics crowd occasionally convenes to consider cyberspace, the Internet, and information technology (IT). Last decade, it was the World Summit on the Information Society (WSIS) in Tunis. Last year, it was the World Congress on Information Technology (WCIT). Both these assemblies were largely cast as debates on the role of the United States in governing the Internet. But this presupposes that the government of the United States, or any government, has the capacity to completely assert its will on how the Internet is run, or indeed how it was ever constructed in the first place.
What the U.S. delegation to WCIT argued, apparently in a persuasive manner, was that governance of the Internet, the technical construct underpinning the rhetorical one called cyberspace, is best left to a multi-stakeholder arrangement. Government agencies and civil society have a role in this, but so does industry (and with it the assortment of technologists charged with making the Internet run).
The engineers of the Internet did not bring it to the massive audience it enjoys, the profit motive did. Nonetheless, without a clique of engineers, cyberspace would not be. The technologists are very much a part of the politics of cyberspace, but it is difficult to determine what power they hold.
“I’m going to watch our screens and try to see a Guildsman.”
“You won’t. Not even their agents ever see a Guildsman. The Guild’s as jealous of its privacy as it is of its monopoly. Don’t do anything to endanger our shipping privileges, Paul.”
Frank Herbert – Dune
In Dune, the elder Atreides passed the wisdom to his son regarding the enormous power of the Spacing Guild holding the interstellar travel monopoly. This guild is a useful metaphor. Two years ago, at the inaugural Cyber Dialogue, Paul Twomey reminded us that the people who make the Internet function, those technicians and engineers of routers, switches, and other logical devices stand as a guild. And what might he mean? A fairly standard definition of a guild is an association of artisans; people who make things. Guilds grew up in medieval Europe, passing knowledge from generation to generation. They occupied a precarious space between the feudal elite and the mass of peasantry eking out subsistence from the land and underwriting the needs of the nobility, who offered martial protection in exchange for taxes. While the peasants toiled and the lords protected, the guilds built modernity.
But in thinking of cyberspace, it is worthwhile to think of how the guild that makes the Internet run came to be. The Internet grew up around a rather unusual entity, the Internet Engineering Task Force (IETF), in roughly a generation. These engineers created new pieces of functionality, maintained the infrastructure needed to route an unfathomable number of messages, and managed the Internet’s phenomenal growth. Without this technological guild, the Internet would not work, but how does it exert power and how much of it does it have?
We can get an idea of this from the swift and persistent response to the 2011 Stop Online Privacy Act (SOPA) and the Protect IP Act (PIPA) legislative initiatives in the U.S. Congress. As written, both bills would have essentially banned the fruit of 20 years’ effort to develop the Internet Protocol Security (IPsec) protocol suite. (In response, I did what academics typically do, writing an op-ed piece and signing a petition – probably the only time my name will appear anywhere near both Peter Gabriel and Glenn Beck’s).
The SOPA/PIPA lesson was clear. Governments could attempt to exert control over cyberspace, but if enough interested parties who make it work disagreed, government’s capacity to control it could be fairly effectively thwarted. Unfortunately cyberspace is also a convenient avenue for those with the requisite skills to penetrate corporate, government, and organizational networks and purloin information, thus disrupting it.
“[J]acked into a custom cyberspace deck that projected his disembodied consciousness into the consensual hallucination that was the matrix. A thief, he’d worked for other, wealthier thieves, employers who provided exotic software required to penetrate the bright walls of corporate systems, opening windows into rich fields of data.”
William Gibson – Neuromancer
The news often portrays that all hell has broken loose in cyberspace. Indeed, cyberspace is increasingly becoming a venue for conflict between parties – states, transnational groups, corporations, political movements, and others. There is new power to be found in cyberspace, an area the U.S. Department of Defense labels a domain of conflict and a place where it plans to send thousands of its soldiers, sailors and airmen to do battle. One journalist reports that 12 of the 15 largest military powers have active cyber warfare programs, but military doctrinaires still leave most of us wondering what cyberwar is or isn’t.
Luckily we still reside at a point where rhetoric goes far beyond reality in cyber warfare. Much of what makes headlines is actually espionage undertaken by cyber means. In its recent report, American cybersecurity firm Mandiant produced an extraordinarily detailed view of cyber espionage activities being undertaken from China. But what was remarkable about the company’s research was their ability to unequivocally argue that, “The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.”
China has developed a massive cyber intelligence capability designed to purloin the intellectual products of foreign firms and enable the rapid technological advancement of its state-run industries and research institutions. It is not China alone engaging in cyber espionage, as the U.S. Office of the National Counterintelligence Executive (ONCIX) stated in its 2011 report, “Certain allies and other countries that enjoy broad access to US Government agencies and the private sector conduct economic espionage to acquire sensitive US information and technologies. Some of these states have advanced cyber capabilities.” Being fair, the PRC accuses the United States of making more than 100,000 attacks a month upon its websites.
The imagined world of widespread cyber espionage from Gibson’s Neuromancer is now very real. Globally interconnected, multinational corporations remain big, ripe targets. As my colleague Dan Wallach commented on the Mandiant report, with regard to the Chinese hackers of its Unit 61938, “I’m most taken aback by the lack of sophistication and poor tradecraft.” This should resonate with corporate and government leaders alike – the Chinese hackers who’ve perpetrated what has been called (fairly or not) the greatest transfer of wealth in human history have achieved incredible results with mediocre effort. But cyber espionage is being eclipsed. The capacity to turn on and off machines, damage industrial plant, and possibly even endanger human life via cyber means is no longer conjecture, but rather a real possibility.
“Violence is the last refuge of the incompetent.”
Isaac Asimov – Foundation
Cyberspace has transformed the practice of intelligence, but may also usher in a new golden age in covert action. Stuxnet demonstrated a crossing of the Rubicon in cyber covert action designed to impact computer-controlled physical infrastructure. To anyone who finds appeal in John Perry Barlow’s “A Declaration of the Independence of Cyberspace,” the use of cyberspace as a mechanism for clandestine military attack is revolting. To Barlow, cyberspace wasn’t supposed to be a venue for conflict, it was supposed to be, “a civilization of the mind…more humane and fair than the world your governments have made before.”
Sadly, this is not the case. Cyberspace is becoming a battlefield, in which the lines between soft and hard power blur. I opined on the current state of affairs in cyber conflict recently. Of cyber attacks, I argued:
As long as they work, countries and plenty of others will launch cyber-attacks that blur the differentiation between power of persuasion and hard coercive force in combinations of diplomacy, trade, covert action and military intervention. A friend suggested a term for placement of cyber-action across the spectrum of international affairs: shoft (mostly soft, but with some hard elements). Most soft U.S. cyberpower is in Silicon Valley. But there is a growing area of cyber-action with physical ramifications in other places — see Stuxnet and Shamoon.
Like the land, seas, and skies before, military forces are now considering how to make this human constructed commons, cyberspace, a productive avenue for conflict. I can understand why. Any geopolitical realists will assert that any available advantage in the chaotic international system is one to be taken. Maybe it is better that conflict does take place in cyberspace. Perhaps it’s preferable to the carpet-bombing of cities or enslavement of nations, but for those of us who have watched cyberspace grow up in our lifetime, it is a disappointing development nonetheless.
Let us hope that, with or without the aid of government, individuals will aggregate their efforts in the cause of keeping the two billion people connected in a global cyber commons rather than a patchwork of sovereign networks. To think that the system of states, which grew up from the last information revolution, the one surrounding the printing press, will operate unaffected by the most recent information revolution is short sighted. We likely live in a post-Westphalian time where governance is up to a multiplicity of actors, rather than the servants of sovereigns. That cyberspace’s governance would be a construct of that time gives short shrift to human capacity for imagination and innovation.
About Chris Bronk
Christopher Bronk is the Baker Institute fellow in information technology policy. He previously served as a career diplomat with the U.S. Department of State on assignments both overseas and in Washington, D.C. His last assignment was in the Office of eDiplomacy, the department’s internal think tank on information technology, knowledge management, computer security and interagency collaboration. Since arriving at Rice, Bronk has divided his attention among a number of areas, including information security, technology for immigration management, broadband policy, Web 2.0 governance and the militarization of cyberspace. He teaches on the intersection of computing and politics in Rice’s George R. Brown School of Engineering. Holding a PhD from The Maxwell School of Syracuse University, Bronk also studied international relations at Oxford University and received a Bachelor’s degree from the University of Wisconsin-Madison.