Yesterday and today IGP is holding its 5th annual workshop. The topic is “Building Transnational Cyber-Attribution.” The program for the event can be seen here. The following are my opening remarks, in which I put our cyber-attribution efforts into the broader context of contemporary geopolitical conflict.
Repeating a cycle?
There are a lot of parallels between the time we are in now and the early 20th century. The period from 1895 – 1914 was a period of globalization and growing prosperity. Unprecedented economic growth was fueled in part by the rapid development of communications technology: especially undersea telegraph cables and radio telegraphy. All this prosperity and interconnection unraveled rapidly, however, as Western states tried to harness their newfound wealth to enlarge their political and military power. This led to a global competition for imperial possessions and growing friction among states. It culminated in the horrors of World War 1 and, not too long after, a global depression and World War 2.
We seem to be repeating this cycle. Decades of economic growth and the rise of an even more globalizing technology, networked computers, is now being followed by deterioration into national rivalries. Again we see a rising power confronting a prior dominant power (back then it was Germany and the US challenging British hegemony; now it is the US seeing China as a threat to its global hegemony). We see the elevation of national security over global trade and interconnection. Tech nationalism – where control of communication and information technology is wedded to the security objectives of the nation state – is being embraced by almost every major and minor state power. It does not bode well for a connected and peaceful cyberspace.
Attribution and geopolitical conflict
How does cyber attribution fit into this larger picture? Cyber security and information operations are two key arenas of geopolitical conflict today. Cyber infrastructure permeates business and civil society in a way that is far deeper and more pervasive than the telegraph and telephone networks of the late 19th century. This makes cyber attacks more broadly relevant to society than earlier forms of information operations. Furthermore, cyber attacks blur the line between war and peace in a way that is historically unique.
Attribution is a small but critical part of the problem of cyber conflict. The ability to point the finger at an adversary, to issue blame, whether justified or not, is a form of power. In this conference we are interrogating the nature of that power and asking whether civil society and the private sector can help to defuse it, making decisions that are based on facts and scientific method rather than politics and strategy. By doing so, we hope to promote what we might call cyber peace.
In discussing cyber attribution, we need to keep our eyes focused on the root causes of cyber conflict, which is the system of state sovereignty. There is an inherent conflict between the open global cooperation and information flows fostered by cyberspace and the territorial fragmentation and anarchy created by the system of sovereign states. Can civil society initiatives focused on cooperation across national boundaries overcome some of the fragmentation and conflict caused by rivalries among states? Perhaps, if we take authoritative attribution out of the hands of states and put it in a more socially responsible place, we can mitigate one of factors fomenting cyber conflict.
Building transnational cooperation
Our focus on attribution has its roots in one of the initiatives floated by Microsoft’s Digital Geneva Convention proposal several years ago. Those proposals were welcomed by some and criticized by many others, but one of its components, the idea of an independent attribution organization, has proven to have legs, as we say in the US. Several other analysts have picked up on the idea, including the Internet Governance Project, and the ICT4 Peace group. The formation of the Cyber Peace Institute is a sign of a broader cyber peace movement.
If you will allow me to return to the late 19th/early 20th century again, another one of the interesting features of that era was the rise of an international peace movement. This movement, with roots in idealistic religious, educational and political leaders, sought to eliminate war through the formation of international institutions. I invoke that legacy cautiously, because there is no doubt that it was a failure in most respects. Responding to the success of this movement, the major governments in the interlude between WW1 and WW2 signed the Kellogg-Briand pact in 1928, agreeing to abandon war as a tool of national policy. Obviously those ideals were crushed by reality.
Our saving grace is that our goals today are a lot more modest and achievable. We are not saying that we are going to eliminate cyber conflict, much less eliminate all war. We are simply saying that we can defuse one source of cyber conflict by ending the monopoly of states on authoritative cyber attribution. I know there are people here who are squeamish about this group evolving to the point where we can actually make attributions. They shouldn’t be. After discussing this issue for the better part of two years I have only heard one argument for why states should have a monopoly on attribution- just one! And that is that it is a “political” function. Think about that. Proponents of this view (usually representatives of states) are openly admitting that their choice to make an attribution (or not) will be done in a way that serves political ends. And that, of course, is the strongest reason why states should not have this power reserved to them. We think that attribution is a factual and scientific matter, not a tool of geopolitics.
Realistically, we can limit the power of states to use cyber attribution as a strategic tool by setting up new forms of transnational cooperation among non state actors. This network should be able to check, review and make cyber-attributions. This is a potent source of cyber accountability.