The Wall Street Journal reported on Friday that the Obama Administration was ready to engage in talks with Russia about on cyberspace disarmament. I finally had a chance to read the remarks, by the new head of Cyber Command, Gen. Keith Alexander, also the head of the National Security Agency. (In a revealing typo, the House Appropriations committee once described this status as being "dual-hated.") The actual Q&A leading to the story was pretty tepid:
Q: Good morning. ...The question I have is regarding Russia’s proposal, with significant support in the U.N. General Assembly, for a cyberwarfare arms limitation treaty. And the question is whether you think something like that is possible. The other part of their proposal is to create, basically, sovereignty on the Net. And how would that – do you think that can work? And how would that impact your functions? GEN. ALEXANDER: ...I do think that we have to establish the rules and I think what Russia’s put forward is, perhaps, the starting point for international debate – not at my level, but at levels above me. And I think when they put that on the table, I think the secretary of defense, the secretary of state, the administration would take those, carefully consider those and say: Now, what’s the counterproposal from the United States, from China, from Russia, from Europe, from the Middle East? How do we put that on the table? And I think we do have to establish that in the lanes of the road. With respect to sovereignty, that’s much more complicated. And the reason is, well, look at our businesses as an example. They are multinational in nature. And as a consequence, working with business and industry – industry and business working with government – we have opened up a set of vectors that don’t easily drop to geographic nation-state boundaries. So I think the first may be the way to helping the second, the first part of your question. And I do think it’s something that we should and probably will carefully consider. You know, I think those are the kinds of things that need to be put on the table, talked through and start out as a – call it version 1.0.Now, that's an extemporaneous answer, not a proposal for talks. But it does mark a shift. Up to now, the Pentagon has been clear -- and correct -- in saying that a cybersecurity treaty is equivalent to unilateral disarmament.
I explain why in my book. The rise of JAG authority over every detail of warfighting means that the Pentagon would be exquisitely sensitive to arguable violations of international law in carrying out operations in cyberspace. Our guys would sit with their fingers poised over the "return" button for hours while the JAGs were trying to figure out whether the Belarussian remarks in committee were a consensus or an individual interpretation of article 42bis. And nobody else would give a damn what the treaty said, because they wouldn't expect to get caught and because even implausible deniability can't be rebutted with the certainty needed to make a legal case, let alone send missiles in response.
Gen. Alexander isn't endorsing the Russian proposal, or even talks about the Russian proposal. But the WSJ was right to read between the lines. For months now, there's been a bit of a thaw on the question of international engagement over cybersecurity. The State Department has been staffing up a cyber negotiations office. And it's almost certainly been pushing for international cyber security talks, because, well, because pushing for international talks is what State does. So Gen. Alexander's remarks are a sign that State is winning the internal fight over whether to talk at all with other nations about these issues.
My guess is that State is winning because the President is convinced of the goodness of nuclear talks, and it's an easy step from there to believing in the goodness of talks about cyberwar. If so, he's making a big mistake. Computer attacks are nothing like nuclear war, except for the part where they cripple the country. They're untraceable, the technology has already proliferated to the point where we have to worry about the capabilities of at least fifty countries, and we're the principal target for roughly forty-five of those countries, so we'll be outvoted 45 to 1, with four abstentions, on everything that matters. After all, why should any of them agree to give up the network espionage and attack capabilities that are their most cost-effective deterrent against the US? Multilateral talks -- or even bilateral talks with the nations we fear most -- aren't likely to do us much good if they start from a disarmament model.
That's not to say that international talks are completely lacking in value. If pressed for what kind of talks might actually do some good, I'd say that getting countries to accept responsibility for effective policing of networks inside their national boundaries would be a good first step. We need to be able to tell other nations that, if they can't attribute and stop an attack coming from their territory, we're going to assume that they're sponsoring it.
Of course, before we can do that, we have to be able to attribute and stop attacks coming from our territory. That's not easy. But if we don't find a way to take that minimal step, the tools being used today by nation states will be used next year by criminal gangs; and sooner or later crooks will take down a big bank's record-keeping system just to see how much we'll pay to bring it back up. T
he best negotiation is one where your main concession is to do something you should do anyway, and controlling cybercrime at home is definitely something we should do. Remarkably, that might turn out to be a concession that other nations would value, too. Being as how we're the biggest source of certain kinds of network attacks.
So if we can get the Russians off their lame attempt to replay the disastrously unverifiable scam that the Biological Weapons Convention turned into, maybe there is something to talk about.