Last year, we turned the blog’s focus to members of Fletcher’s faculty. Kicking off the Faculty Spotlight series for 2015 is Antonia H. Chayes, Professor of Practice of International Politics and Law. Prof. Chayes currently teaches Civil-Military Relations and International Treaty Behavior: A Perspective on Globalization. Her post is a timely piece that demonstrates how professors can redirect their research focus when world events require.
The news story about hacking Sony Pictures dominated the holiday news. North Korea, allegedly, with its vast cyber skills, brought a major corporation to a dead halt, and moreover, exposed its seamier corporate life to a public, always voracious for gossip. President Obama promised a proportionate response — and put blame on Sony for pulling the picture from theaters after North Korea threatened dire consequences if the picture, a silly spoof on CIA assassination efforts in the hands of bumbling journalists, were released. Sony, and its independent theaters reconsidered, and a limited theater showing was made, accompanied by widespread home availability. Then North Korea’s internet went down, and it has suffered short spurts of blackout. The attribution has remained cloudy, and speculation has abounded, including the notion that a Russian group engineered the original Sony cyber exploitation simply to stir up trouble.
Then come the pundits and analysts — is this cyber-terrorism or cybervandalism? Should this be considered another step toward cyberwar — part of the spreading inkblot of a grey area that is neither peace nor war? In fact, this is just a minor episode in an ongoing set of cyberattacks and counterattacks throughout the world. Banking firms have been hacked; cyber espionage from China has caused the U.S. to indict specific members of China’s military (in absentia, of course) for cybercrimes. Have we forgotten that Estonia was brought to its knees by a cyberattack by the Russian youth group Nashe in 2007 over the removal of a statute of a Soviet soldier from the central square in Talinn?
The United States has spent billions preparing for cyberwar, yet the government lacks control of its critical infrastructure, which is most likely to be the target of an attack. 85-90% of that infrastructure in the United States and Western Europe is in private hands. The Department of Homeland Security has been anointed to take charge of private infrastructure, and an Executive Order and a Presidential Directive have been the only means to secure support from the private sector. Several bills were introduced in Congress to legislate minimum standards for private infrastructure, but these were defeated — even the mildest form of regulation. Thus private industry is expected to do on a voluntary basis what it managed to defeat as a matter of regulation. Nor it is clear which agency would run the show in a crisis — civilian or military. The disparity between the Department of Homeland Security, whose 2015 budget request was $1.5 billion, and the combined Cybercommand and NSA, request of $5.1 billion — is enormous.
Both agencies have engaged in real world simulations, and the results have not been exactly transparent. Some public reports, whose language is rather bland, suggest room for improvement. And further, U.S. Supreme Court precedents such as the “Steel Seizure” case under President Truman cast a long shadow, should the U.S. government try to seize control of private infrastructure in a crisis.
The problems posed by the whole range of cyber exploitation, from cybercrime to espionage, up to attacks — are international as well as national. There has been some progress in the NATO alliance — a Center of Excellence in Talinn, reinforcing broad concern over the attack on Estonia in 2007 and the Cyber Defense Management Board, where political, military, operational and technical staff operate at the working-level. The Talinn manual fits cyber issues into the vast canvas of international law, and is now under revision. At the NATO summit in Wales, September 2014, NATO announced an enhanced cyber strategy recognizing that a cyber attack might be as harmful as a conventional attack. It affirmed that cyber defense “is part of NATO’s core task of self defense.” but added that the decision to intervene would be made on a case-by-case basis. There is a fairly weak EU directive that urges states to take protective measures.
The Budapest convention addresses cybercrime, but in the context of urging state uniformity. These measures, admittedly weak, represent a beginning of international cooperative action. Many regional organizations are at similar stages.
At Fletcher, Professor Martel had been working with a group of faculty and students on several Codes of Conduct — for states, corporations, and individuals — at the request of Lincoln Laboratories. This kind of work is the essence of Fletcher’s interdisciplinary experience. We must honor Bill’s memory by continuing the work he so cared about.
A Code of Conduct is not yet regulation — it is a pledge of behavior whose aspiration is to change norms. For those of us participating in the project, we hope to get widespread adoption and will be seeking foundation funding to do so. Fletcher’s strength in both international law and cyber studies puts us in a good position to move forward. And my forthcoming book, Borderless Wars: Civil Military Disorder and Legal Uncertainty concludes with a chapter on cyberattacks seeking more robust regulation, stating “Regulation of offensive cyberattacks cannot provide the same level of reassurance that intrusive verification of visible chemical or nuclear weapons production provides. But the very process of engaging in a widespread international cooperative effort has a deterrent effect, and may reduce, if not eliminate the threat of attack.”