The Pandora’s Box of the Digital Age
In the past year alone, a series of hacks and ransomware attacks by hostile governments and other malign actors have raised alarms about a major threat to global stability. Unfortunately, many governments are responding by developing still more cyber weapons, on the mistaken assumption that offense is the best defense.
STOCKHOLM – Is the world sliding dangerously toward cyber Armageddon? Let us hope not; but let us also apprehend the threat, and focus on what to do about it.
One country after another has begun exploring options for bolstering their offensive capabilities in cyberspace, and many other countries have already done so. This is a dangerous escalation. In fact, few other trends pose a bigger threat to global stability.
Almost all societies have become heavily dependent on the Internet, the world’s most important piece of infrastructure – and also the infrastructure upon which all other infrastructure relies. The so-called Internet of Things is a misnomer; soon enough, it will be the “Internet of Everything.” And our current era is not a Fourth Industrial Revolution; it is the beginning of the digital age, and the end of the industrial age altogether.
The digital age has introduced new vulnerabilities that hackers, cyber criminals, and other malign actors are already routinely exploiting. But even more alarming is the eagerness of national governments to conduct cyber-warfare operations against one other.
We have already reached the stage at which every conflict has a cyber dimension. The United States and Israel crossed the Rubicon in 2010 by launching the Stuxnet attack on Iran’s nuclear facilities. Now, there is no telling where ongoing but hidden cyber conflicts begin and end.
Things were different in the old world of nuclear weapons, which are complicated and expensive devices based on technology that only a few highly educated specialists have mastered. Cyber weapons, by contrast, are generally inexpensive to develop or acquire, and deceptively easy to use. As a result, even weak and fragile states can become significant cyber powers.
Worse still, cyber-war technologies have been proliferating at an alarming pace. While there are extensive safeguards in place to control access to sensitive nuclear technologies and materials, there is almost nothing preventing the dissemination of malicious software code.
To understand the scale of the threat we face, look no further than the “WannaCry” virus that, among other things, almost shut down the British National Health Service this past May. The virus exploited a vulnerability in the Microsoft Windows operating system that the US National Security Agency had already discovered, but did not report to Microsoft. After this information was leaked or stolen from the NSA, North Korea quickly put the ransomware to use, which should come as no surprise. In recent years, North Korea has launched numerous cyber attacks around the world, most notably against Sony Pictures, but also against many financial institutions.
And, of course, North Korea is hardly an exception. Russia, China, and Israel have also developed cyber weapons, which they are busy trying to implant in systems around the world. This growing threat is precisely why other countries have started talking about acquiring offensive cyber capabilities of their own: they want to have a deterrent to ward off attacks from other cyber powers. Cyber security is regarded as complicated and costly; but cyber offense is seen as inexpensive and sexy.
The problem is that, while deterrence works in the nuclear world, it isn’t particularly effective in the cyber world. Rogue actors – and North Korea is hardly the only example – are far less vulnerable than developed countries to cyber counterstrikes. They can attack again and again without risking serious consequences.
Cyber attacks’ often-ambiguous origins make it even harder to apply a rational theory of deterrence to the cyber world. Identifying the responsible party, if possible at all, takes time; and the risk of misattribution is always there. I doubt we will ever see unambiguous proof that Israel is conducting offensive cyber operations; but that certainly doesn’t mean that it isn’t.
In the darkness of cyberspace, sophisticated actors can hide behind oblivious third parties, who are then exposed to counterstrikes by the party under attack. And in the ongoing conflict among Gulf countries, at least one government may have contracted hackers based in other countries to conduct operations against an adversary. This method of avoiding detection will almost certainly become the norm.
In a world riven by geopolitical rivalries large and small, such ambiguity and saber-rattling in the cyber realm could have catastrophic results. Nuclear weapons are generally subject to clear, strict, and elaborate systems of command and control. But who can control the legions of cyber warriors on the dark web?
Given that we are still in the early stages of the digital age, it is anyone’s guess what will come next. Governments may start developing autonomous counterstrike systems that, even if they fall short of Dr. Strangelove’s Doomsday Machine, will usher in a world vulnerable to myriad unintended consequences.
Most obviously, cyber weapons will become a staple in outright wars. The United Nations Charter affirms all member states’ right to self-defense – a right that is, admittedly, increasingly open to interpretation in a kinetic, digitized world. The Charter also touches on questions of international law, particularly with respect to non-combatants and civilian infrastructure in conflict zones.
But what about the countless conflicts that do not reach the threshold of all-out war? So far, efforts to establish universal rules and norms governing state behavior in cyberspace have failed. It is clear that some countries want to preserve their complete freedom of action in this domain.
But that poses an obvious danger. As the NSA leaks have shown, there is no way to restrict access to destructive cyber weapons, and there is no reason to hope that the rules of restraint that governed the nuclear age will work in the cyber age.
Unfortunately, a binding international agreement to restrict the development and use of offensive cyber weapons in non-war situations is probably a long way off. In the meantime, we need to call greater attention to the dangers of cyber-weapon proliferation, and urge governments to develop defensive rather than offensive capabilities. An arms race in cyberspace has no winners.
Controlling Cyber Conflict
LAS VEGAS – When cyber-security professionals were polled recently at their annual BlackHat conference in Las Vegas, 60% said they expected the United States to suffer a successful attack against its critical infrastructure in the next two years. And US politics remains convulsed by the aftermath of Russian cyber interference in the 2016 election. Are cyber-attacks the wave of the future, or can norms be developed to control international cyber conflict?
We can learn from the history of the nuclear age. While cyber and nuclear technologies are vastly different, the process by which society learns to cope with a highly disruptive technology shows instructive similarities. It took states about two decades to reach the first cooperative agreements in the nuclear era. If one dates the cyber-security problem not from the beginning of the Internet in the 1970s, but from the late 1990s, when burgeoning participation made the Internet the substrate for economic and military interdependence (and thus increased our vulnerability), cooperation is now at about the two-decade mark.
The first efforts in the nuclear era were unsuccessful United Nations-centered treaties. In 1946, the US proposed the Baruch plan for UN control of nuclear energy, and the Soviet Union promptly rejected locking itself into a position of technological inferiority. It was not until after the Cuban Missile Crisis in 1962 that a first arms control agreement, the Limited Test Ban Treaty, was signed, in 1963. The Nuclear Non-Proliferation Treaty followed in 1968, and the bilateral US-USSR Strategic Arms Limitation Treaty in 1972.
In the cyber field, Russia proposed a UN treaty to ban electronic and information weapons (including propaganda) in 1999. With China and other members of the Shanghai Cooperation Organization, it has continued to push for a broad UN-based treaty.
The US resisted what it saw as an effort to limit American capabilities, and continues to regard a broad treaty as unverifiable and deceptive. Instead, the US, Russia, and 13 other states agreed that the UN Secretary General should appoint a Group of Governmental Experts (GGE), which first met in 2004.
That group initially produced meager results; but, by July 2015, it issued a report, endorsed by the G20, that proposed norms for limiting conflict and confidence-building measures. Groups of experts are not uncommon in the UN process, but only rarely does their work rise from the UN’s basement to a summit of the world’s 20 most powerful states. But while the GGE’s success was extraordinary, last month it failed and was unable to issue a consensus report for 2017.
The GGE process has limitations. The participants are technically advisers to the UN Secretary General rather than fully empowered national negotiators. Over the years, as the number of GGE member states increased from the original 15 to 20 and then to 25, the group became more unwieldy, and political issues became more intrusive. According to one diplomat who has been central to the process, some 70 countries have expressed interest in participating. But as the numbers expand, the difficulty of reaching agreement increases.
There is a wide range of views about the future of the GGE process. A first draft of a new report existed at the beginning of this year, and the able German chairman argued that the group should not rewrite the 2015 report, but try to say more about the steps that states should take in peacetime.
Some states suggested new norms to address data integrity and maintenance of the Internet’s core structures. There was general agreement about confidence-building measures and the need to strengthen capacity. The US and like-minded states pressed for further clarification of the earlier agreement that international laws of armed conflict, including the right of self-defense, apply in cyber space, but China, Russia, and their allies were reluctant to agree. And the deterioration in US-Russian relations soured the political climate.
Moreover, whereas some states hope to revive the GGE process or enlarge it into a broader UN process, others are skeptical, and believe that future progress will be limited to discussions among like-minded states, rather than leading to universal agreements.
Norms that may be ripe for discussion outside the GGE process could include protected status for the core functions of the Internet; supply-chain standards and liability for the Internet of Things; treatment of election processes as protected infrastructure; and, more broadly, norms for issues such as crime and information warfare. All of these are among the topics that may be considered by the new informal Global Commission on Stability in Cyberspace established early this year and chaired by former Estonian Foreign Minister Marina Kaljurand.
Progress on the next steps of norm formation will require simultaneous use of many different formats, both private and governmental. For example, the 2015 agreement between China and the US to limit industrial cyber espionage was a bilateral accord that was later taken up by the G20.
In some cases, the development of norms among like-minded states can attract adherence by others at a later point. In others, such as the Internet of Things, norms for security standards may benefit from leadership by the private sector or non-profit stakeholders in establishing codes of conduct. And progress in some areas need not wait for others.
A regime of norms may be more robust when linkages are not too tight, and an over-arching UN treaty would harm such flexibility at this point. Expansion of participation is important for the acceptance of norms, but progress will require action on many fronts. Given this, the failure of the GGE in July 2017 should not be viewed as the end of the process.
Russia’s Hybrid War Against the West
As Russian President Vladimir Putin made plain during the US election campaign, the Kremlin is no longer playing by the rules that applied even during the darkest days of the Cold War. With voters heading to the polls in France, Germany, and the Netherlands in 2017, Europe faces a threat that it is only just beginning to comprehend.
BRUSSELS – The United States FBI and CIA have both concluded that Russia ran a hacking and disinformation campaign aimed at influencing the US presidential election in Donald Trump’s favor. We may never know how successful Russia’s cyber operation was, but we do know that the Kremlin got the result it wanted. Time magazine was wrong to name Trump its person of the year. Clearly, this was Russian President Vladimir Putin’s year.
The attack on the US may have been a precursor to further electoral meddling in Europe, where officials are now racing to counter Russian cyber operations before a series of major elections in 2017, including in the Netherlands, Germany, and France. Past cyber attacks in Europe bear an uncanny resemblance to the alleged Russian-sponsored hack on the Democratic National Committee in the US.
In early 2015, a group with ties to the Russian government hacked into the German Bundestag, stole confidential files, and gave them to WikiLeaks, which published them. Germany’s Federal Office for the Protection of the Constitution has accused Russia of orchestrating similar attacks on German government computer systems. Meanwhile, in November, the European Commission also suffered a large-scale cyber attack, and while the culprit remains unknown, very few people or organizations are capable of carrying out such an operation.
Cyber attacks are just one element in a broader hybrid war that Russia is waging against the West. Russia has also assisted far-right nationalist organizations and populist movements across Europe, such as by extending loans to Marine Le Pen’s National Front in France, and furnishing UK Independence Party politicians with prime-time media slots on the Russian state-funded television network Russia Today.
US President Barack Obama has finally vowed to respond to Putin’s assault on American democracy, but he should have done more – and acted much sooner. Europeans would be foolish to expect assistance from the incoming Trump administration. Trump’s chief strategist, Stephen Bannon – a former executive chairman of the American “alt-right” disinformation website Breitbart News – has openly offered to help Le Pen win the French presidential election next spring.
Official Russian sources admit that they spent €1.2 billion ($1.25 billion) on foreign media campaigns just this year. In the EU, thousands of fake-news websites have appeared, many of them with unclear ownership: the number of disinformation websites in Hungary doubled in 2014; and in the Czech Republic and Slovakia, some 42 new websites are now polluting the EU’s information ecosystem. And, less surreptitiously, the Kremlin has spent hundreds of millions of dollars funding propaganda outfits – such as the Sputnik “news” agency – even as the Russian economy implodes.
Russia’s disinformation campaigns are complex and multifaceted, but the mission they share is to undermine trust in Western democratic authorities. Social-media trolling is one method. And social media is also a key vector for a Russian strategy that relies on historical revisionism (the claim that Russia alone won World War II is a staple of this approach); on conspiracy theories, promoted among European and American nationalist movements, which blame the West for, say, inciting the war in Ukraine; and denial of reality, such as the presence of Russian troops in Crimea and Ukraine.
To defend against this onslaught, the West should promote media freedom, reward accountability, and provide legal avenues to shut down systemic disinformation channels. It bodes well that the EU recently amended its 2017 budget to reinforce the European External Action Service’s StratCom team, which had been badly underfunded, despite its critical mission of uncovering and debunking disinformation. But the EU and NATO should also take a lesson from the US election, by bolstering collective European cyber defenses, and pressuring member states to expand their own cyber capabilities. On the political front, Putin must be told that foreign interference in national elections will have severe negative consequences for Russian economic interests.
Beyond government action, the private sector and civil-society organizations should step up their efforts to verify whether online news stories are accurate, balanced, and credible. Organizations working together can make a difference. For example, Russia terminated its Swedish-language edition of Sputnik, because Swedish media organizations were not using its products.
But while Facebook has indicated that it will improve the vetting process for its content, voluntary measures may not be enough: some German lawmakers have suggested that legislation may be needed to clean up social-media platforms. Still, Europe’s strongest defense is its free press, together with nongovernmental organizations working to expose lies.
Europeans must not become complacent about the current state of their free press. After all, Breitbart News is already in Britain and is planning to expand across the EU. Within days of Trump’s election, the New York Times reported, “Marion Maréchal-Le Pen, Marine Le Pen’s niece and a rising force in the National Front, tweeted, ‘I answer yes to the invitation of Stephen Bannon… to work together.”
Western democracies have entered a period of volatility, and Russia is no longer playing by the rules of the game that applied even during the darkest days of the Cold War. Putin is actively waging a hybrid war against the West, one that we are only just beginning to comprehend, let alone confront. It is time to defend our values. This year made us fully aware of the scale of the challenge Putin is posing to Western democracy. In 2017, we must confront – and defeat – his tactics head-on.
Whistling Past the Geopolitical Graveyard
Even with geopolitical conflicts proliferating around the world, global financial markets have reached new heights. But while there are many explanations for why investors might be underpricing today's risks, there is no good reason for them to ignore the possibility of another "black swan" event on the horizon.
NEW YORK – With Emmanuel Macron’s defeat of the right-wing populist Marine Le Pen in the French presidential election, the European Union and the euro have dodged a bullet. But geopolitical risks are continuing to proliferate. The populist backlash against globalization in the West will not be stilled by Macron’s victory, and could still lead to protectionism, trade wars, and sharp restrictions to migration. If the forces of disintegration take hold, the United Kingdom’s withdrawal from the EU could eventually lead to a breakup of the EU – Macron or no Macron.
At the same time, Russia has maintained its aggressive behavior in the Baltics, the Balkans, Ukraine, and Syria. The Middle East still contains multiple near-failed states, such as Iraq, Yemen, Libya, and Lebanon. And the Sunni-Shia proxy wars between Saudi Arabia and Iran show no sign of ending.
In Asia, US or North Korean brinkmanship could precipitate a military conflict on the Korean Peninsula. And China is continuing to engage in – and in some cases escalating – its territorial disputes with regional neighbors.
Despite these geopolitical risks, global financial markets have reached new heights. So it is worth asking if investors are underestimating the potential for one or more of these conflicts to trigger a more serious crisis, and what it would take to shock them out of their complacency if they are.
There are many explanations for why markets may be ignoring geopolitical risks. For starters, even with much of the Middle East burning, there have been no oil-supply shocks or embargos, and the shale-gas revolution in the United States has increased the supply of low-cost energy. During previous Middle East conflicts – such as the 1973 Yom Kippur War, Iran’s Islamic Revolution in 1979, and Iraq’s invasion of Kuwait in 1990 – oil-supply shocks caused global stagflation and sharp stock-market corrections.
A second explanation is that investors are extrapolating from previous shocks, such as the attacks of September 11, 2001, when policymakers saved the day by backstopping the economy and financial markets with strong monetary and fiscal policy easing. These policies turned post-shock market corrections into buying opportunities, because the fall in asset prices was reversed in a matter of days or weeks.
Third, the countries that actually have experienced localized asset-market shocks – such as Russia and Ukraine after Russia’s annexation of Crimea and incursion into Eastern Ukraine in 2014 – are not large enough economically to affect US or global financial markets. Similarly, even as the UK pursues a “hard Brexit,” it still only accounts for around 2% of global GDP.
A fourth explanation is that the world has so far been spared from the tail risks associated with today’s geopolitical conflagrations. There has not yet been a direct military conflict between any major powers, nor have the EU or eurozone collapsed. US President Donald Trump’s more radical, populist policies have been partly contained. And China’s economy has not yet suffered from a hard landing, which would create sociopolitical instability.
Moreover, markets have trouble pricing such “black swan” events: “unknown unknowns” that are unlikely, but extremely costly. For example, the market couldn’t have predicted 9/11. And even if investors think that another major terrorist attack will come, they cannot know when.
A confrontation between the US and North Korea could also turn into a black swan event, but this is a possibility that markets have happily ignored. One reason is that, notwithstanding Trump’s bluster, the US has very few realistic military options: North Korea could use conventional weapons to wipe out Seoul and its surroundings, where almost half of South Korea’s population lives, were the US to strike. Investors may be assuming that even if a limited military exchange occurred, it would not escalate into a full-fledged war, and policy loosening could soften the blow on the economy and financial markets. In this scenario, as with 9/11, the initial market correction would end up being a buying opportunity.
But there are other possible scenarios, some of which could turn out to be black swans. Given the risks associated with direct military action, the US is now alleged to be using cyber weapons to eliminate the North Korean nuclear threat against the US mainland. This may explain why so many of North Korea’s missile tests have failed in recent months. But how will North Korea react to being militarily decapitated?
One answer is that it could launch a cyber attack of its own. North Korea’s cyber-warfare capabilities are considered to be just a notch below those of Russia and China, and the world got an early glimpse of them in 2014 when it hacked into Sony Pictures. A major North Korean cyber attack could disable or destroy parts of the US’s critical infrastructure, and cause massive economic and financial damage. That remains a risk even if the US can sabotage North Korea’s entire industrial system and infrastructure.
Or, faced with disruption of its missile program and regime, North Korea could go low-tech, by sending a ship with a dirty bomb into the ports of Los Angeles or New York. An attack of this kind would most likely be very hard to monitor or stop.
So, while investors may be right to discount the risk of a conventional military conflict between the US and North Korea, they also may be underestimating the threat of a true black swan event, such as a disruptive cyberwar between the two countries or a dirty bomb attack against the US.
Would an escalation on the Korean Peninsula be an opportunity to “buy the dip,” or would it mark the beginning of a massive market meltdown? It is well known that markets can price the “risks” associated with a normal distribution of events that can be statistically estimated and measured. But they have more trouble grappling with “Knightian uncertainty”: risk that cannot be calculated in probabilistic terms.