Read an Excerpt

CHAPTER 1

Internet Governance and National Security

Panayotis A. Yannakogeorgos

The debate over network protocols illustrates how standards can be politics by other means.

— Janet Abbate, Inventing the Internet (1999)

The organizing ethos of the Internet founders was that of a boundless space enabling everyone to connect with everything, everywhere. This governing principle did not reflect laws or national borders. Indeed, everyone was equal. A brave new world emerged where the meek are powerful enough to challenge the strong. Perhaps the best articulation of these sentiments is found in "A Declaration of Independence of Cyberspace." Addressing world governments and corporations online, John Perry Barlow proclaimed, "Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here." Romanticized anarchic visions of the Internet came to be synonymized with cyberspace writ large. The dynamics of stakeholders involved with the inputs and processes that govern this global telecommunications experiment were not taken into account by the utopian vision that came to frame the policy questions of the early twenty-first century. Juxtapose this view with that of some Internet stakeholders who view the project as a "rational regime of access and flow of information, acknowledging that the network is not some renewable natural resource but a man-made structure that exists only owing to decades of infrastructure building at great cost to great companies, entities that believe they ultimately are entitled to a say."

The sole purpose of cyberspace is to create effects in the real world, and the U.S. high-tech sector leads the world in innovating and developing hardware, software, and content services. American companies provide technologies that allow more and better digital information to flow across borders, thereby enhancing socioeconomic development worldwide. When markets and Internet connections are open, America's information technology (IT) companies shape the world and prosper. Leveraging the benefits of the Internet cannot occur, however, if confidence in networked digital information and communications technologies (ICTs) is lacking. In cyberspace, security is the cornerstone of the confidence that leads to openness and prosperity. While the most potent manifestation of cyberspace, the Internet, works seamlessly, the protocols and standards that allow computers to interoperate are what have permitted this technological wonder to catalyze innovation and prosperity globally. The power of the current Internet governance model strengthens the global power of the American example and facilitates democratization and development abroad by permitting the free flow of information to create economic growth and global innovation. Today, this Internet is at risk from infrastructure and protocol design, development, and standardization by corporate entities of nondemocratic states.

Cybersecurity discussions largely focus on the conflict created by headline-grabbing exploits of ad hoc hacker networks or nation-state-inspired corporate espionage. Malicious actors add to the conflict and are indeed exploiting vulnerabilities in information systems. But there is a different side of cyber conflict that presents a perhaps graver national security challenge: that is the "friendly" side of cyber conquest, as Martin Libicki once termed it. The friendly side of cyber conquest of the Internet entails dominance of the technical and public policy issues that govern how the Internet operates. Current U.S. cybersecurity strategies do not adequately address the increasing activity of authoritarian states and their corporations within the technical bodies responsible for developing the protocols and standards on which current and next-generation digital networks function. But the issues related to governance of critical Internet resources (CIRs) and their impact on U.S. national security are often overlooked. Foreign efforts to alter the technical management of the Internet and the design of technical standards may undermine U.S. national interests in the long term. This chapter discusses the U.S. national security policy context and presents the concept of friendly conquest and the multistakeholder format of Internet governance, which allows for the free flow of information. There are many global challenges to the status quo, including the rise of alternative computer networks in cyberspace, that beg for recommendations to address those challenges.

INTERNET GOVERNANCE AND U.S. NATIONAL CYBER STRATEGY

Internet governance can be defined as a wide field including infrastructure, standardization, legal, sociocultural, economic, and development issues. Within the context, this chapter focuses on the technical standards-setting bodies and protocols that do not elicit the same attention as more visible threats to national cybersecurity. In a human capital and resource-constrained environment, attention has focused on crime, espionage, and other forms of cyber conflict rather than on the issues related to governance of CIRs, development of technical standards, and design of new telecommunications equipment. In a domain that is already confusing to policy wonks, the complexity of Internet governance makes it even harder for policy makers to commit resources to a field that has no analogy in the physical world. In the nuclear age, there was no debate as to whether one could redesign the physical properties of uranium and apply them universally to eliminate the element's potential for weaponization. The underlying language of nuclear conflict was constrained by the laws of physics (e.g., nuclear fission, gravity). Physical limits in cyberspace exist as well by constraining information flows to the laws of physics — the wave-particle duality of radiation which, when modulated with bits, creates an information flow. However, the technical standards that permit information to flow across networks and appear within applications to create effects in the real world are bound only by the limits of human innovation and the politicized processes by which the standards are created and set. This affects the character of cyberspace. Its current form is free and open, but that does not necessarily mean it always will be. Understanding the strategic-level issues of Internet governance is thus just as critical as understanding the impact of vulnerabilities that threat actors may exploit to cause incidents of national security concern. In the national security context, the technical management of the Internet matters because it may allow authoritarian states to exert power and influence over the underlying infrastructure, thereby reshaping the operational environment.

Several current national strategies articulate nationwide responses to cyber threats. They tend to focus on catastrophic national security incidents rather than on the battles within the organizations that set technical standards or manage the day-to-day operation of the Internet. American national strategies have consistently highlighted the importance of current multistakeholder forums for design and standardization of the technical standards via "collaborative development of consensus-based international standards for ICT ... a key part of preserving openness and interoperability, growing our digital economies, and moving our societies forward." Furthermore, the challenges we face in international standards-setting bodies are recognized in that "in designing the next generation of these systems, we must advance the common interest by supporting the soundest technical standards and governance structures, rather than those that will simply enhance national prestige or political control."

Security demands that the language of the Internet — the underlying technical standards and protocols — continue to sustain free-flowing information. If "code is law" in cyberspace, as some posit, then the standards and protocols are the fabric of cyber reality that give code meaning. In policy circles, cyberspace is already considered the "invisible domain." Technical standards and protocols are thus "invisible" squared. However, these protocols define the character of the Internet and its underlying critical infrastructures. As noted elsewhere, "The underlying protocols to which software and hardware design conforms represent a more embedded and more invisible form of level architecture to constrain behavior, establish public policy. ... [I] n this sense protocols have political agency — not a disembodied agency but one derived from protocol designers and implementers." In the past, it was the United States that led the world in the development of protocols and standards. As a result, the values of freedom were embedded in the Internet's design and character, which incubated innovation that continues to spur socioeconomic development globally. Creating the Internet and maintaining the technical edge are two very different problems.

THE FRIENDLY SIDE OF CYBER CONFLICT

Looming battles in Internet standards and governance bodies will determine the future character of the Internet. The advanced deployment of IPv6 in Russia and China and development of new standards by near-peer-competitor countries are creating new technical standards and deploying them into the global marketplace, thus enabling friendly cyber conflict.

Friendly conquest occurs when a noncore operator of a system enters into partnership with a core operator in exchange for access to a desired information system. Cyber strategic theorist Martin Libicki notes,

One who controls a system may let others access it so that they may enjoy its content, services and connections. With time, if such access is useful ... users may find themselves not only growing dependent on it, but deepening their dependence on it by adopting standards and protocols for their own systems and making investments in order to better use the content, services or connections they enjoy.

The core partner in such a coalition emerges to dominate noncore members who have come to depend on the service offered, though not without some vulnerability to the core partner's network. Fears exist "that the full dependence that pervades one's internal systems may leave one open for manipulation. ... The source of such vulnerability could range from one partner's general knowledge of how the infrastructure is secure, to privileged access to the infrastructure that can permit an attack to be bootstrapped more easily."

Libicki operates with relational mechanisms to explain how coalitions leading to friendly conquest occur. Friendly conquest in cyberspace can be surmised as the willing participation of X in Y's information system. X willingly enters into a coalition with Y in cyberspace. Y's friendly conquest of X occurs when X becomes dependent on Y's system. This is not to say that X merely entering the coalition will cause the conquest. X's perceived need for access to Y's cyberspace (or inability to construct its own) causes it to willingly enter into a coalition with Y. X adopts Y's standards and protocols making up the information system architecture of Y's cyberspace in a way that allows it to interoperate within X's cyberspace. X adopts Y's cyberspace architecture and thus the necessary condition for Y's friendly conquest. It is a facilitating condition for X's hostile conquest. X might begin to use the standards and protocols of Y's cyberspace as a model for its own cyberspace. Since Y is an expert in its own standards and protocols, X's modeling of these standards in its own systems is another vulnerability, which can facilitate X's hostile conquest by Y. X does not have to be a friend. It can be a neutral or a possible future enemy of Y. There is utility in Y opening its cyberspace to X only if Y sees some benefit to itself, although Libicki does argue that Y will open its cyberspace regardless. Once friendly conquest is accomplished, Libicki argues, it can facilitate hostile conquest in cyberspace. Friendly conquest of X by Y may facilitate hostile conquest in cyberspace conducted by Y against X.

The Internet and its underlying technical infrastructure is a potent manifestation of how the United States, as core operator of an information system, extended friendly dominance over allies and adversaries alike through creation of the technology and setting the rules for its operation. The Internet relies on products designed and operated by U.S.-based entities such as the Domain Name System (DNS) and Internet Corporation for Assigned Names and Numbers (ICANN), Microsoft, and Cisco. Users around the world, such as Google and Facebook, have come to rely on services offered over this platform. The dominant position that U.S.-based entities currently have is not permanent. The Estonian-developed Skype is indicative that services may be non-U.S. in origin. Yet, even when an Internet-based service is created by foreign entities, most of the information flowing through the said application passes through hardware in the United States. When vulnerabilities are perceived, other nations may try to exit our information system to preserve their cyber sovereignty and expand their influence by attracting customers toward their own indigenous systems and away from the Internet. Thus, our strategic advantage in cyberspace is not timeless and is being contested in varying degrees by near-peer competitors. Hence, we should understand their current responses to U.S. technological dominance to refine our cyber strategy within the context of friendly cyber conquest.

U.S. Air Force doctrine recognizes one aspect of friendly conquest: supply-side infrastructure vulnerabilities. "Many of the COTS [commercial off the shelf] technologies (hardware and software) the Air Force purchases are developed, manufactured, or have components manufactured by foreign countries. These manufacturers, vendors, service providers, and developers can be influenced by adversaries to provide altered products that have built-in vulnerabilities, such as modified chips." Friendly conquest goes beyond adversaries merely being able to infiltrate the supply chain and create backdoors on servers of national security significance before they enter the United States. The threat also comes from the emergence of new technologies in which the United States is not the core operator but may become dependent. With the focus on malicious cyberattacks, not enough attention is being paid to the soft underbelly of the cyber world — the technologies and standards that have allowed cyberspace to emerge from the electromagnetic spectrum.

China is making a great leap forward in terms of sowing the seeds for global friendly conquest in cyberspace. As reported by the U.S.– China Economic and Security Review Commission, "If current trends continue, China (combined with proxy interests) will effectively become the principal market driver in many sectors, including telecom, on the basis of consumption, production, and innovation." U.S. reliance on China as a manufacturer of computer chips and other ICT hardware has allowed the potential for the introduction of intentional vulnerabilities and backdoors in the digital fabric of equipment used by U.S.-based entities, including the military. Extraordinarily low-priced Chinese-made computer hardware is a lucrative buy in Asia and the developing world. Furthermore, Chinese entities, such as China Mobile, are on the leading edge of developing the standards of next-generation mobile 5G LTE networks within the International Telecommunications Union (ITU) IMT 2020 working group. According to the ITU, "The IMT-2020 standard is set to be the global communication network for the coming decades and is on track to be in place by 2020. The next step is to agree on what will be the detailed specifications for IMT-2020, a standard that will underpin the next generations of mobile broadband and IT connectivity." In addition to the standards-setting bodies, Chinese telecommunication operators are preparing to deploy operational 5G networks within China.

One example of how efforts at friendly conquest can make the United States vulnerable to cyber exploitation is demonstrated in China's failure at creating a telecommunication protocol as a result of the United States successfully blocking a Chinese effort to set wireless local area network (WLAN) authentication and privacy infrastructure (WAPI) protocol as an international wireless communication standard. Despite what appeared to be a success, China went on to ban devices using the internationally accepted 802.11 Wi-Fi communication protocol standard just as it launched the WAPI standard domestically. The effect of this is that if mobile telecommunication equipment manufacturers wanted to have devices that could legally be sold in China, they had to produce equipment with the WAPI standards. Thus, Apple, Dell, and others began producing mobile phones with the Chinese WAPI standard on its chips. This opens up the potential for control of standards within emerging markets, and also the potential for security risks being created with a Chinese standard now being commonplace on Wi-Fi telecommunications equipment. This could enable China to have a side channel into encrypted communications on those devices, allowing the Chinese government access to trusted communications if desired.

(Continues…)

---

Excerpted from "Understanding Cybersecurity"
by .
Copyright © 2018 Gary Schaub Jr..
Excerpted by permission of Rowman & Littlefield International Ltd..
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---