The Battle for Cyber Space

The Geneva Centre for Security Policy podcast is your gateway to top conversations on international peace and security. It will bring you timely, relevant analysis from across the globe with over 1,000 multi-disciplinary experts speaking at 120 events and 80 courses every year. Click subscribe, download on your favourite podcast player, get notified each time we release our weekly episode.

Podcast Episode 27

Ms Ashley Müller: Welcome to the Geneva Centre for Security Policy Podcast. I’m Ashley Muller. This week’s episode explores some of the latest global issues affecting peace, security, and international cooperation. 

Ms Ashley Müller: The race to take over cyber space and dominate the digital world is rapid and ever changing as global actors push the limits. We speak about the battle for cyber space with Dr Adam Segal, Ira A. Lipman Chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations (CFR).

Ms Ashley Müller: Dr Adam Segal from Council on Foreign Relations speaks with Dr Robert Dewar, Head of Cyber Security at the GCSP on the Battle for Cyber Space.

Dr Robert Dewar: Welcome, Adam, thank you very much for coming to Geneva Centre for Security Policy. If you could just tell us what in your view are the main areas of concern in the current US China relationship when it comes to cyber issues?

Dr Adam Segal: I think both sides are worried about how cyber space affects core national interests, security and economic interests and both have pivoted to trying to shape international cyber space the rules, the technology, the behaviours. I think the pivot is, in some ways more surprising in the Chinese case. , we often conceived of China as being very inwardly focused on cyber space, filtering technology, keeping information out what we broadly know is known as the Great Firewall. But the fact is, is that China increasingly now sees the ability to shape international cyber space as important to its domestic concerns, and I think the US was, in part caught unaware, by that it was slow to react, and now is trying to, I think, regain some of the initiative on how you think about and define the rules of behavior. 

Dr Robert Dewar: Do you see that as particularly problematic that we've got China and the US competing both economically, but also diplomatically?

Dr Adam Segal: I think the problem is one, the breadth of the competition seems unbounded. So both sides increasingly see the competition as zero sum and don't have a lot of areas where they have cooperative interest. And the other is, is that the rules of the competition are uncertain and unknown, certainly on the actual operations side, on what type of hacking might be legitimate or what types of behavior might be legitimate. There is a divide between the two actors. The US for a long time has tried to convince the world that there are certain types of hacking that would be legitimate. Most of those would be political-military, which is, countries always have spied and they will continue to spy and we cannot expect any real international regulation of that. But the theft of industrial secrets through cyber enabled means should be considered illegitimate and has brought pressure on China to accept that norm. China briefly seemed to accept that norm but now agreement between the US and China on hacking seems to no longer be followed. So there's clearly some space for competition and misunderstanding there. I think the other worrying issue is that on the rules for cyber conflict, or what we might consider cyber war, both sides also have very different understandings of the application of international law and other norms. So you can imagine that a crisis or other type of political tensions in the South China Sea or Taiwan straits could escalate in ways that neither side truly wants or could control. 

Dr Robert Dewar: You’ve painted a picture of important concerns, as you said, for national security purposes and economic security. And there is a prevailing narrative that cyber issues and the conflicts and problems that arise through differences of approach to cyber issues tends to repeat that conflict and ingrain that conflict. So the narrative sometimes from, from my perspective, and I'm sure from your perspective, is often very negative when it comes to cyber issues. Are there opportunities? Is there a positive message that we can take from some of the aspects of the US-China relationship just as kind of ameliorate the narrative? 

Dr Adam Segal: So it is very hard to find right now shared interests, common interests I and that really part of it is cyber right. I think part of it is how far apart the two sides are on common cyber understandings but a lot of it just has to do about the state of the US China relationship right now is so lacking in trust, that it's hard to figure out where that space would be. That said, not trying to fight this scenario. There are clearly some areas where there should be shared concern. The first one is the one that I already alluded to, which is that neither side wants a cyber issue to spill over into the physical world, because of miscalculation, right? Neither side wants to be dragged into something that they didn't, that they weren't planning for. And so here bilateral or multilateral, or through the UN discussions about thresholds for the use of forced or armed attack, some commonly shared conceptions about escalatory ladders, or discussions about that, because there's a lot of worrying differences between how the two sides talk about deterrence in cyber space and, for example, in some of the open source, Chinese writings, what they consider an attack that would kind of a deterrent value from a Western or US perspective would seem to be a failure of deterrence. So in some cases, Chinese writers say, you can restore deterrence by taking the adversaries’ command and control systems? Well, from a US perspective, that would not be a deterrent movement, that would be a failure of deterrence, you're already escalated. So trying to get some understanding there and there were forums for that there was a Strategic and Economic Dialogue between the two sides, number of track twos and 1.5’s. And then the UN process through the group of governmental experts, all of those right now or,have their own political problems, the bilateral discussions aren't happening. Track 1.5 that really kind of, as far as I can tell, slowed down and the UN GGE process. The last meeting had this serious disagreement about application of international law. And now we have two processes with the UN GGE and the and the open ended working group. So I don't think there's a lot of unfortunately right now, there's not a lot of progress on that side. Those discussions could also talk about some shared value, I think in a shared interest in protecting the basis of the internet. So , people talk about the domain name system and other kind of core systems of the internet, which neither side really has a has a huge amount of desire to see go down, it would have a damaging effect on both the economies and they might be some shared interest in talking about targets that should be off limits, the financial system. So there I think there are shared interests. I just I'm not sure there's the political ability or desire right now to work on them. 

Dr Robert Dewar: That's a really interesting point that you mentioned about what would be considered off limits whether the the core of the internet should be protected or considered as some kind of impermissible targets and remember some of the discussions happening after the UN regarding what would be should be considered in the cyber context to be an unacceptable target for anyone in any situations. But there's been a lot of discussion around norms around developing norms and how to manage state behavior in that sense, particularly questions, as you mentioned, that applications of international law and but given that the rules are still quite fluid, the rules are still it's not that they're unaccepted but they are there's still a great deal of discussion about what those rules actually entail. And given we have all those rules, regulations, rights, etc, and to manage and moderate responsibility or to encourage responsible state behavior, the question then comes who should be the arbiter of that state behavior? Who should if anybody who should be in your view should be the enforcer of legal frameworks and norms regarding cyber issues?

Dr Adam Segal: I think there's, as you point out, there's kind of two processes going on. There's a kind of norms, discussion, and norms generation, which is happening, both and the kind of the multilateral level rights of the UN process. We've talked about some of the bilateral discussion And it's also happening with non-state actors, right? So the global Commission on stability and in the Microsoft convention and the Paris accord, which is a kind of mixture of state and non-state actors. So I think there's a lot happening. That's, as we always say, with the internet, multi-stakeholder and then there's actual state behaviour. So what states do and what they take responsibility for, and we're seeing more of that, right. So the US has now conducted several cyber offensive cyber operations and said, yes, we did that. And that is why we did them here that here are the justifications for why we did them. So those are, I think, our two processes, who becomes the arbitrator? I think the issue is, unfortunately, there is no arbiter and we're seeing a split between, what we might call like minded groups. So, here is a set of like-minded countries saying, here's the behavior we've attributed to specific Russian actors, this behavior is unacceptable in international behavior. And we reserve the right to sanction it. So I think you're going to start seeing that and we've started seeing that process happen more often. But that is, in many ways going to accelerate but people are already talking about which is a splinter net or bifurcation or decoupling, or however you want to talk about.

Dr Robert Dewar: And then it becomes less a question of innocent till proven guilty but guilty by virtue of attribution and by virtue of the political act of attribution. And do you see in that question of enforcing international law, or do you foresee that question of enforcing international law problems with the politics of attribution, given attribution is possible, but very, very difficult and fraught with technical and forensic problems, and ultimately, then it becomes a political decision. Do you see issues there with the enforcement of norms and laws when it is a political decision as to whether or not to attribute? 

Dr Adam Segal: I think there's a political issue, as you said, is that in almost all of the cases, you are not relying simply on digital forensics, you're drawing on other intelligence means. And so, as you said, there's a kind of decision that political policymakers have to make about whether it is worth burning those technical means to score political points on the attribution. And then you have to convince both your partners and the and the rest of the world that this intelligence is legitimate. So there are clearly those political costs. I think the other issue is, is that as you alluded to, those resources are not evenly distributed in the world, right. attribution is hard, but it's harder for some than others. I mean, we've seen some small players, the Dutch, in particular, have moved up and demonstrated some significant capabilities, but there's lots of countries that don't have those attribution capabilities. And so then you get into the issue of well can only some people Trees attribute and others, others can't. I think there were attempts to try and address that concern through third party attribution. And I think, again, referring back to non-state actors. Microsoft had been floating this idea of a third party attribution center. They've set up the Cyber Peace Institute, it doesn't seem as if it's going to actually play that role. There are lots of kinds of complicated issues about how you would share the threat with Intel, but I think it is a real problem. And it's one that I think has made it harder to bring in countries outside of the Five Eyes are others with close intelligence sharing with the United States into this naming and shaming and sanctioning regime. 

Dr Robert Dewar: You mentioned Microsoft a moment ago and the question of using other intelligence gathering means particularly in So digital forensics with the analysis of particular offensive cyber incidents. And that raises an interesting question about the role of the private sector, particularly with the discussions at, for instance, the UN and the various global Commission on state behavior. And given the idiosyncratic role that the private sector plays in this particular sector in the digital sector, if we look at, for instance, energy, the private sector is well known for being a lobbying sector or being lobbyists for particular frameworks, regulatory frameworks, etc. in the digital sphere, the private sector and civic society themselves play very different roles to that they're not simple lobbyists in that sense, and I was wondering if you foresee any or see any particular challenges for Cyber peace to use that term and the stability of what is generally called cyberspace given this idiosyncratic a slightly larger role of both the private sector and civic society, in that governance framework.

I think as you said, the companies themselves are, are, I think, uniquely powerful in this space compared to what we saw before in the energy sector or, we clearly, companies before have had foreign policies, right, US fruit companies involved in, supporting regimes and Latin America and oil companies and everything else. But the digital companies, I think both because they control the networks and because they control the data on, somebody country's citizens, I think to have a unique type of power. And you can't imagine some type of shared set of norms or stability without the companies playing a larger role. I think the problem is in all of the societies, there's an inherent tension between what the companies want to do and national security and national economic interest, right. The companies are global platforms. And we saw this really splash into the open after the Snowden revelations, the companies after the revelations from Snowden, made a point of stressing that they were global actors with key users around the world and that they were going to defend their users, which meant also from the NSA. So that increases the tensions between what the companies want to succeed in doing and what the government wants to do. At the same time, as we've seen Chinese companies globalise, and also should have similar tensions. The party in China is actually tightening control over the companies, increasing party representation, the National Intelligence Law, which seems to suggest that all the companies have to play a role in the intelligence gathering. So the companies are, and I think, clearly true for American companies true for Chinese companies are always suspect in third party countries, right, they're always going to be seen as playing some role in intelligence gathering or power projection or some influence there. So it really complicates the role that I think the Companies can play and makes this an even more difficult space to imagine that you're going to have one set of norms, one set of agreements that everyone ascribes to I really do think we're moving to a set of, unfortunately, like-minded or are different groups of this is how we control the internet, this is how we're going to behave and if you're going to act in this space, then this is the rules we expect you to follow.

Dr Robert Dewar: And given those questions around the unique role of the private sector and the challenges that come with a highly technical and technologically developed space and framework as we call the digital space, we hear a lot about those kinds of challenges in conferences and discussions today. And particularly issues of cybercrime, the issues of privacy, the Internet of Things, and if we could move the conversation slightly in a different direction, look at some of the diplomatic challenges that you've alluded to, and I to explore those a little bit more. And what in your view are the primary diplomatic challenges for these, given the kinds of threats, that we're seeing and the kinds of problems but also the kinds of opportunities that new technology and new technology can provide the world today?

Dr Adam Segal: I think , the diplomatic challenges, we are working, I think toward this bifurcated space. So then it becomes very much a challenge of trying to bridge values, which is not an easy thing to do on the diplomatic front, it's easier to point out where you might have some shared interests where it is in the self-interest of all countries to act in a similar way, but the more that cyber space is seen to reflect, democratic values or governance systems, then it becomes, I think, increasingly hard for diplomats to kind of bridge that space. I think the second is, as you alluded to, is that just the technical challenge is, we struggle to get diplomats and analysts and others who had expertise in the digital world to start thinking about international relations and foreign policy, or we struggled to get people who had foreign policy experience to start thinking about digital issues. And, we may have reached a point now, where I think we have a fairly growing centre of gravity. We have a number of cyber coordinators in ministries across the world. The GGE process has been going on for more than a decade. So there's, I think, a growing center of it, but we're now going to be caught with a new wave of innovation driven by AI and quantum and 5G. And so we're going to have to do it all again, in some ways. And those, again, we're gonna have a problem with expertise and talent and things there. So that's all I think is negative. I think on the positive side, we see that coming. And I think we can draw on lessons from what we learned in this last decade on the digital front. So, how do we attract the right type of people? I think we've gotten better at clearly the, as we've alluded to earlier, the next that there's no way of dealing with these problems, it's not going to be multi-stakeholder. So or multilateral, right. So there's no one country that can address all these issues, they're going to need partners. And those partners are going to be both within their own societies and internationally. And so they're going to have to draw on expertise in a whole range of places that, traditionally for ministries but have not been tapping into. 

Dr Robert Dewar: Thank you very much Dr Segal and it's been a pleasure to speak with you today. And thank you very much for coming to Geneva.

Ms Ashley Müller: That's all we have now for today's episode. Thank you to Dr Adam Segal for joining us. Listen to us again next week to hear all the latest insights on international peace and security and don’t forget to subscribe to us on Apple iTunes, follow us on Spotify and SoundCloud. Bye for now.
 

Register for Cyber Security course

Disclaimer: The views, information and opinions expressed in this digital product are the authors’ own and do not necessarily reflect those shared by the Geneva Centre for Security Policy or its employees. The GCSP is not responsible for and may not always verify the accuracy of the information contained in the digital products.