July 1, 2009  

A global problem

Cyberspace threats demand an international approach

In the summer of 2008, the nation of Georgia was attacked by hackers, presumably from Russia. The media speculated it was the first “cyberwar” because the attacks were launched on the eve of the ground invasion by Russia into Georgian territory. About a year earlier, Estonia was attacked by hackers, disabling the Web sites of government agencies, political parties, newspapers, banks and other companies. Many believe the Russian government was also responsible or at least aware of these attacks. More recently, during the Gaza conflict between Israel and Hamas, hackers attacked Israeli Web sites.

Cyberspace, of which the Internet is a large part, is an amazing technological resource that has changed the way people communicate, do business and relate to each other. It allows people from opposite sides of the globe to connect instantly. This resource, though, is not without its problems, and the “bad guys” have learned to use it for nefarious purposes: identity theft, computer viruses, network intrusions and child pornography among them.

The standard “in the box” response by Georgia, Estonia, Israel and most nations confronting a cyberattack is to defend their networks from within their national borders, although the Georgian government took some unique steps, thinking slightly outside the box.

What options, other than to defend in place, do nations have when an attack or intrusion cannot realistically be attributed to another nation, group or individual? Nations need an effective means for defense of their networks to stop or block these attacks and intrusions at a point outside of their networks. Before going any further, let me clarify that this article does not address what constitutes a cyberattack, an act of war, nor does it seek to resolve some of the more technical issues, such as the ability to block the attack or filter viruses and worms at one or more points in cyberspace. These are issues to be worked out at a later time. This article proposes creating “international cyberspace” to provide nations viable options for defending their networks.

In 2003, computer viruses and worms cost companies an estimated $55 billion in damages and, as a snapshot, on March 2, 2009, an average of just 10 viruses infected more than 9 million files globally. Remember “I Love You,” “Sasser,” “SQL Slammer,” “Sobig,” MSBlast.exe”? Unsuspecting computer users are being tricked into clicking for a Valentine’s Day e-card, for example, that downloads malware to their systems, creating botnets. What can nations and companies do, other than secure, defend in place and clean up the mess? Many technical and political impediments exist that prevent nations from effectively combating cyberattacks, worms/viruses and other criminal behaviors in cyberspace. Three are paramount:

• The seemingly borderless nature of cyberspace.

• The difficulty and, in some cases, impossibility of attributing malicious computer activities to an individual or nation.

• Nations’ reluctance to be regulated in this area.

Unlike the international territories of airspace, outer space or the high seas, cyberspace is not a global common; every piece of it is owned by individuals, private businesses and nations. Despite this, cyberspace exhibits many characteristics of international territory. Transmissions flow unimpeded in cyberspace without regard for national territory, and nations and individuals, with some exceptions, enjoy equal access to cyberspace to communicate freely with little to no regulation.

Since there are no clearly defined borders or neutral areas in cyberspace, “international cyberspace” must be created through a definition. Once a definition is agreed upon for what constitutes international cyberspace, certain portions of cyberspace may then be designated international cyberspace and thus be subject to international law. This designation would provide nations collective points of focus for combating the evils in cyberspace and allow nations, individually or collectively, to address the issues that plague cyberspace and even threaten individual states’ national security. Nations would have the option of attempting to block attacks and other cyberthreats at international cyberspace points beyond their networks before the threats reach and cause damage, a much more effective approach than defending from within your own networks. At the same time, the activity at the international cyberspace points by nations defending themselves would allow them to take defensive action and not violate the national sovereignty or territorial integrity of another nation by invading its networks. Additionally, nations would not need to know from whom or where the attack or intrusion originates.

Before continuing, let’s look at some definitions for cyberspace. For the purposes of this article, the terms “cyberspace” and “Internet” may be used interchangeably, but recognize that the Internet is a subset of cyberspace. Although the term “cyberspace” is used, the persistent problems this article seeks to address via the definition and designation of certain portions of cyberspace reside primarily on the Internet.

Defining cyberspace is an elusive process. It has been referred to as “imaginary space,” “a global network of interconnected computers and communications systems” and “a virtual shared universe.” It does not fit into a neat little box and seems to have no borders. Cyberspace is not a government-owned, centrally managed network of computers and communications systems. No one nation owns or controls cyberspace. Each owns its portion, but they are all interconnected around the world. In fact, all nations, their governments at all levels and even businesses worldwide struggle to secure their networks from intruders, attacks, viruses and worms, and other criminal behavior.

Although cyberspace and the Internet are global and affect most nations, creating an international legal regime to address the issues plaguing nations in cyberspace seems to be out of reach. This is certainly not due to the lack of a recognized need or effort. Many countries have enacted laws addressing issues in cyberspace, but these laws do not extend to other countries and are not harmonized with one another. Internationally, there are some valiant efforts, such as the 2001 Council of Europe Convention on Cybercrime and NATO’s Cyber Defence Centre implementing the Cyber Defence Management Authority and Cooperative Cyber Defence Centre of Excellence, but major impediments still exist and may never be overcome without common ground.

Cyberspace is borderless in that the transmissions flow unimpeded around the world regardless of physical or perceived borders. When an e-mail is sent between individuals in different countries, the electrons do not have to stop at the border and request permission to enter.

Laws are written for people within physically defined borders belonging to a particular nation. A nation‘s sovereignty and territory are defined by its borders, and the laws of that nation apply only to those within its borders or, in some cases, its citizens when outside its borders. Out of mutual respect and fear of reprisal, governments will not openly pursue criminal behavior in cyberspace without the consent and cooperation of the nations to whose territory the trail leads them. As outlined in the Council of Europe’s Convention on Cybercrime, nations work together to track and combat cybercrime — they do not intrude upon each others’ networks on their own accord.

The borderless nature, the speed at which electrons travel through cyberspace and other technical aspects of cyberspace make it difficult to quickly or easily attribute the origin of an attack, intrusion, worm or virus. It would be unusual and extremely stupid for someone to hack from his computer directly into the computer he wanted to attack. Typically, hackers will bounce their activity through numerous locations and countries. This conduct forces nations to work together to trace the path of a hacker, if they are willing to do so. This method of backtrace is slow and not very effective, although presently, it is the only legal method.

If a nation is confronted with a cyberattack that is attributable to another nation or individual, the response would be easy: Fire an electronic attack back at the attacker or send someone in uniform with his meanest face and a military force behind him to let the attacker know how displeasing the actions are. Life is never that easy. Many news articles have accused Russia of orchestrating the cyberattacks against Estonia and Georgia, but there seems to be much speculation over this issue. At a Business Council meeting for the United Nations, Brig. Gen. Marc Schissler, a director of cyberspace operations for the Air Force, when responding to a question regarding who attacked Georgia stated, “[a]ttribution is very difficult. … It is almost impossible to discern because most attacks jump across multiple computer servers in multiple countries.” The likelihood is that a nation will not truly know where a cyberattack, which is usually instantaneous in time, is coming from. By the time the origin of the attack or the attacker’s identify is determined, if ever, the incident is usually long over or resolved.

Finally, some people have recently speculated that nations most heavily invested in cyberspace may prefer some strategic ambiguity while they shape their national cyberdefense capabilities.

International cyberspace points would provide nations an avenue of self-defense outside of their networks wherein they would not have to initially be concerned with who is attacking or intruding or why. Questions such as whether a nation is entitled to act in self-defense under Article 51 of the U.N. Charter without violating the national sovereignty or territorial integrity of other nations under Article 2(4) of the U.N. Charter do not even become an issue unless a cyberevent is determined to be a use of force and attribution can be determined. A nation under attack, such as Georgia or Estonia, could legally take action at an international cyberspace point blocking or cutting off attacks similar to bouncing back or deflecting a denial-of-service attack.

There are likely some readers who are seeing the rising of Armageddon and zombie attacks as they quiver about what a very bad idea this is. Remember when GPS first came along, or the idea of the home computer? No one thought either of those were ideas that would take off. The concept of certain pieces of cyberspace serving a neutral function for the benefit of all users is not completely alien. Let’s take a look at various portions of cyberspace that might be considered so-called “international cyberspace” right now, and some ideas for how international cyberspace could be implemented.

Cyberspace exhibits an international flavor by virtue of the equal and unfettered access many people and nations enjoy. This is similar to international territory which is not owned by any one nation, but, all nations and individuals, barring some financial or technical obstacles, have equal access to international airspace, outer space and the high seas.

An excellent example of a portion of cyberspace that exhibits an international flavor is the Domain Name System (DNS) root servers. These servers translate Internet Protocol addresses, numbers such as, into Web site names such as XYZ.com, which are much easier to remember and use. When originally developed, the DNS servers were run by the U.S. government. As the Internet grew, the operation of these servers was eventually moved to private businesses and nonprofit organizations without direct government funding. The DNS servers provide vital support to the Internet for all, and thus could be considered quasi-international assets. Although run primarily by companies in the U.S. with oversight from international nonprofit organizations and the U.S., the sole function of the organizations that operate these servers is to support and ensure the healthy functioning of the Internet for all. Nations, primarily the U.S., have taken a hands-off approach to these servers other than to assist with their protection and ensuring they continue to function.

So, how would international cyberspace work? An international organization consisting of the major cyberspace faring nations would be the bestsuited to launch and oversee international cyberspace. This international organization must include private telecommunications companies that own or hold a significant presence in cyberspace, since it is their telecommunication equipment that constitutes the backbone of cyberspace and likely would be designated as international cyberspace. This organization must be able to collaborate with governments and industry on software and filtering for the international cyberspace points, developing a standard that will help to improve upon communications and cyberspace as a whole. Filtering standards could be developed and set to recognize and block the latest viruses and worms, creating a sort of international firewall.

The International Telecommunications Convention (ITC), developed by the International Telecommunication Union, provides an excellent model for an international cyberspace organization and an eventual International Cyberspace Convention. The ITC’s goal is “the preservation of peace and the social and economic development of all countries … by means of efficient telecommunications services.“ It also seeks the “improvement and rational use of telecommunications of all kinds.“ Articles 19 and 20 of the ITC provide nations a right to “suspend the international telecommunication service for an indefinite time, either generally or only for certain relations and/or for certain kinds of correspondence, outgoing, incoming or in transit, provided that [the nation] immediately notifies such action to each of the other Members through the medium of the Secretary-General.”

Similar to Articles 19 and 20, with regard to international cyberspace, if a nation’s network is intruded upon or attacked, prompting it to defend itself, a requirement might be that the nation provide notification and justification to the international cyberspace organization within 24 hours of the action taken against an international cyberspace point. Of course, the articles of the ITC refer to telecommunications the acting nation-state controls, but its actions would have an effect on others, since you cannot easily keep radio signals confined to physical borders. Cyberspace is similar, in that it is very difficult to control the transmissions and communications. In fact, an argument could be made that the definition of “telecommunications” in the ITC includes communications traversing computers and computer networks. The telecommunications referred to in the ITC certainly include telecommunications in cyberspace.

If created, an international cyberspace convention, similar to the ITC, should require all members to monitor international cyberspace points for health and efficiency and report to an international cyberspace organization as problems develop that affect cyberspace. An international computer emergency response group could be created to monitor and report the health of international cyberspace points.

Any designated international cyberspace points would continue to be owned and operated by private companies and nations, but the points would not retain any national sovereignty designation. Nations or private companies that do not wish their hardware to be considered international cyberspace would have options, although initially the options might not be perceived as favorable. These nations or private companies could reconfigure specific hardware so it does not fall within the definition of international cyberspace, or they could take the hardware offline. Depending on the definition and how these points are perceived, they may eventually become the primary hubs for cyberspace and therefore receive more attention as far as protection and revenue.

A possible definition for “international cyberspace” might include a designated volume of traffic supported by various hardware and links. Below is some suggested language for the definition:

“Hardware that supports X amount of traffic within a specific time period, such as core routers, network access points, Internet Exchange Points, network switches, global Access POPs (point of presence), nodes, landing stations, or other hardware, undersea cables and satellite links that bridge nations and continents; essentially the main arteries of cyberspace through which most cybertraffic flows internationally.”

“International cyberspace” is exactly what is needed today. Regardless of how you define cyberspace, it exists and is not limited by physical borders, because of the desire and will of individuals and nations to reach out to others and increase their ability for ever-greater and faster communication and economic growth. This has led to the rapid expansion of cyberspace to the point that it can no longer be controlled by any one nation. Cyberspace has become an entity unto itself, not controlled by anyone, but affecting all in one form or another. An effective solution to bring all nations together to set standards for resolve issues that plague all in cyberspace is to create international cyberspace.

As a man-made domain, we can certainly designate portions of it as international territory, and then nations can discuss options for managing international cyberspace for the prosperity of all.

Maj. David Willson is chief of cyberlaw at U.S. Space and Missile Defense Command/Army Forces Strategic Command. The views expressed here are the author’s own and do not necessarily reflect those of the Army or Defense Department.