Abstract

The visions of the capabilities predicted for the cyber domain 20 years ago are becoming a reality today in terms of their possibilities and opportunities, but also in terms of their threats.  In response to the latter, more than 25 nations around the world have already started forming cyber military units with the aim to counter and perform attacks on targets within and external to the cyber domain by making use of cyberspace.  Despite these developments, very little has been accomplished towards the promotion, signature and ratification of an international treaty to regulate the use of cyberspace in efforts of national defense and international security.  Such a treaty is natural to the diplomacy component of defense, which recently has been characterized by soft forms of cyberpower through tools of social media.  Furthermore, the author believes that new and unexplored opportunities in hard forms of power are available for the defensive role of diplomacy through mechanisms of international intervention, which could enhance transparency and deterrence especially in the advancement of nuclear programs suspicious of being non-compliant with the Nuclear Non-Proliferation Treaty (NPT).  Thus, this paper proposes cyber-intervention mechanisms as a form of smart power and as an alternative to cyberattacks.  The paper explores the question about the feasibility of convened intervention mechanisms based on cyberpower capabilities and infrastructure by exploring the areas of institutions, technology, policy and implementation.  For the implementation area, the paper focuses in the inspection and cyber-intervention of nuclear facilities.

Introduction

It is often said that "the best defense is a good offense." That may be true in domains of conflict in which characteristics of attribution of attacks enhance the opportunities for deterrence. However, in the 21st Century and after the attacks of 9/11, the world has come to experience the limitations of attribution and deterrence as useful elements in the solution of conflicts. As a consequence, the world witnesses an ongoing "war on terror" that far from being over, seems to create more of what it aims to dominate.

The same is true to the highly volatile and new domain of conflict, known as cyberspace. Methods of offense have been under development since the establishment of the first computer networks, as recorded by Chen and Robert (2004), with the codification of the first computer virus: Creeper. Parikka (2007) reports that this virus was created by Bob Thomas at Bolt, Beranek and Newman (BBN) Technologies and infected DEC PDP-10 computers connected to the ARPANET running on the TENEX operating system. It was detected in early 1970, suggesting that efforts may have been already underway to write its code at the end of the 1960's.

Viruses have been responsible for an enormous loss of information and investment. For example, the virus known as "Love Bug," deployed by a single hacker located in the Philippines, caused damage estimated at about $15 billion, as cited by Joseph S. Nye (2010). The 2004 report on The Economic Impact of Cyberattacks by Brian Cashell and Webel (2004) estimates the 2003 losses of a number of surveyed firms ranging from $13 billion (worms and viruses only) to $226 billion (for all forms of overt attacks)." A more recent example is given by Smith (2011), who quotes the Office of Management and Budget (OMB) of the United States saying that cyber attacks on agencies jumped 39% to 41,776 in 2010, up from 30,000 in 2009." The OMB also notes that the federal expense in IT security is about $12 billion, or approximately 15% of a $80 billion IT budget. The scale of losses range from assets of individuals to threats to nation-states and their diplomacy investments, as showcased by the case of Wikileaks.

From cyberattacks to cyberexploitation, humans have already made use of tools in the cyber domain to bring new forms of conflict between interests and to support certain points of view and ideologies. One of the characteristics of the cyber domain is that, in contrast to the other four domains of conflict i.e. land, sea, air and space, cyberspace has been entirely established by humans. When humanity began to adventure into Earth orbit and space, it was President John F. Kennedy (1962) who remarked one important characteristic of technology and its relationship to humanity, stating the following at a hallmark speech during the space-race:

The statement by President Kennedy stresses the responsibility of humans in the ethical use of technology to conquer peace, not only during the Cold War, but also in every sensitive endeavor that involves technology and society. Conveniently enough, the particle [cyber] could be inserted in Kennedy's quote before each mention of the word space, and the relevance of his statement becomes as valid in the cyber domain as it once was for space. The difference in this case, is that cyberspace has already been the theater of conflict since its inception, thanks to the ease of access and the opportunity it provides for concealment.

This paper supports the need for a treaty or convention for the peaceful use of cyberspace for national defense and international security, similar to the one drafted by Sofaer and Goodman (2000) and known as The Stanford Proposal. This paper re-examines the definitions of defense and power as they are relevant to the cyber domain with the work of Joseph S. Nye (2010, 2011). It addresses some of the issues of cyberattack capabilities reported by Owens et al. (2009) and proposes the idea of cyber-intervention as a diplomatic complement to the military use of cyberpower, and as a more transparent alternative. The main objective of the paper is to explore the feasibility of cyber-intervention as a smart form of power undertaken mostly by the diplomatic component of defense. It looks at its technological feasibility while considering its challenges and limitations in policy formulation and implementation. The motivation for this paper is found in the historical significance of the cyberattack on the Iranian nuclear plant, and moreover in the risk it represents today to backfire in the form of extra cyberspace retaliation against Western powers. The author believes that the use of cyberattack capabilities cannot be contained within cyberspace, and that the lack of attribution of the Iranian attack may represent a threat in itself.

Indeed, a non-responsible use of cyberpower, self-defined by the evident lack of attribution, could eventually open up a Pandora box by combining threats that our civilization has had to deal with to prevent, for example, what Kissinger (1955) would call during the Cold War a "general war." Indeed, better methods can be explored in order to (1) enforce the Nuclear Non-Proliferation Treaty (NPT) among other international agreements and (2) increase the transparency and deterrence potential of defense policy through the use of cyberpower. The reason for this proposal on cyber-intervention finds support in the work by Deibert (2010); Deibert and Rohozinski (2010) on the risks in cyberspace security and increasing militarization. The role of key actors and institutions in the diplomatic realm of defense, ranging from Foreign Affairs Departments to the UN Security Council, should be fully explored and developed. This paper aims to represent an initial approach to cyber-intervention as an alternative to cyberattacks in the use of cyberpower.

The paper is organized in four other Sections. Section 2 introduces concepts of defense as they are relevant to military and diplomacy. Section 3 presents current views of power in cyberspace, two definitions of cyberpower, its targets in the virtual and physical domain, and its resources. Section 4 proposes cyber-intervention as a complementary use of cyberpower. Finally, Section 5 provides concluding remarks and insights for future work.

Further information about this paper

For more information please click here.  The paper was delivered in April, 2011.