How Cyberspace is Transforming International Security

Faculty Insight

Derek Reveron

Faculty Affiliate, Belfer Center for Science and International Affairs, Harvard Kennedy School and Professor of National Security Affairs, Naval War College

Reveron teaches Cyberspace and International Security at Harvard Extension School. In this Q&A, he helps illuminate the complex topic of his course and career.

In an era when we live so many aspects of our lives online—from sharing details on social networks to managing our finances—our privacy and identity have become increasingly vulnerable. But such vulnerabilities reside within the confines of our private, civilian lives.

What’s at stake when nations turn to cyberspace to display aggression, compromise intelligence, or threaten adversaries?

The high-profile hacks of recent years—Sony, the Democratic National Committee—and the recent “distributed denial of service” attack have brought cyber security to the fore in national and international security circles. In the following interview, Professor Reveron explains the concept of national security, intelligence, and war in the age of cyberspace. His responses reflect his personal opinions, not those of the Belfer Center or the Naval War College.

When Cyber Security Becomes a National Security Issue

Traditionally, national and international security have resided in physical domains: land, sea, and air. But the virtual world today has altered that landscape significantly. What are some security challenges that arise in the “borderless” realm of cyberspace?

Fundamentally, cyberspace is a civilian space, and it’s a human construct. One of the key differences between, say, land borders and cyberspace is that cyberspace is always changing. It’s potentially infinite because more networks, more devices, and more users are constantly being added. All that is contracting the world where someone in Cambridge, Massachusetts can directly engage with government officials in Canberra, Australia.

Cyber challenges the traditional national security divide ... The Department of Defense is responsible for .mil. The Department of Homeland Security is responsible for .gov. But we all live in .com. And there's no equivalent to city or state police to protect us there.

There’s another difference. We are historically, legally, and culturally comfortable with national governments protecting airspace, and land borders and sea boundaries.

Cyber challenges the traditional national security divide: federal government is responsible for international challenges, and state and local governments are responsible for domestic ones. The Department of Defense is responsible for .mil. The Department of Homeland Security is responsible for .gov. But we all live in .com. And there’s no equivalent to city or state police to protect us there.

Since 90 percent of cyberspace resides in the private sector, many new security issues arise. We're talking about Amazon servers, which might host your e-mail account. We're talking about Microsoft Windows or the Apple operating system, which is your interface into cyberspace. Your personal phone is managed by one of the big telecom companies.

Unlike airspace and land borders, the government does not have a natural role in these spaces to promote security or protect citizens.

Government has to balance its obligations to protect national security without compromising the ability of corporations to innovate or citizens to maintain their privacy.

Cyberspace in national security raises interesting questions about the role of the national government in protecting this civilian space. There are all sorts of civil liberties at play, and we need to recognize where the expertise resides.

When it comes to nuclear weapons, for example, the expertise inside the United States is largely, I think, within US national labs and some government-funded university programs. But the expertise in cyberspace lies in publicly traded companies like Microsoft, Apple, or McAfee, or privately held IT startups—not inside the federal government.

Government has to balance its obligations to protect national security without compromising the ability of corporations to innovate or citizens to maintain their privacy.

The next US administration is going to have to deal with the National Security Administration’s (NSA) role in cyber security. I think people often misperceive what the NSA does. NSA and the intelligence community are really working to protect national security by preventing a terrorist attack or countering foreign intelligence activities against the US. Unfortunately, that’s not a mainstream perspective.

How has cyberspace changed the way nations act in times of conflict or tension?

Cyber tools give governments a means to attack, retaliate, or exercise levels of coercion that are short of war. Probably the easiest example would be North Korea.

A big area of debate is whether cyber is a war-fighting tool or an intelligence tool.

When North Korea wanted to express dissatisfaction with the US due to a movie release, it didn’t attack US forces in South Korea or harass commercial ships bound for the US. Instead, it conducted a cyber attack against Sony Entertainment. What North Korea lacks in missile technology gave it the means to attack the US through cyberspace.

You write in your book Cyberspace and National Security that given the infancy of cyberspace, there are significant gaps in governance, policy, and law. What implications do these gaps have for the international community?

A big area of debate is whether cyber is a war-fighting tool or an intelligence tool. Right now it tends to be more widely used in espionage as an intelligence tool.

That’s partly because when we look at conflict between countries, it isn't really that common. Most conflict in the world today is internal. It's civil war in Syria, civil war in Afghanistan, insurgency groups in Nigeria or Columbia.

We haven't seen cyber interface in a traditional war-fighting role (yet). Dozens of countries are developing military cyber commands, though. So the next interstate conflict will likely include cyber attack.

It's rare that another country invades another. Russia’s invasion of Ukraine is the most recent example. But state invasion of another country doesn’t happen that often. We haven’t seen cyber interface in a traditional war-fighting role (yet). Dozens of countries are developing military cyber commands, though. So the next interstate conflict will likely include cyber attack.

Nonetheless, in legal terms, it’s not necessarily the means of an attack but the effect. If it's violent, widespread, and sustained, then legal scholars will argue that it doesn't matter if it’s a cyber attack or a missile attack—what matters is the impact.  

In the intelligence realm, a cyber attack takes the form of economic espionage or intellectual property theft. There are many accusations of Chinese state entities or sponsored groups targeting American companies for intellectual property, which is then used to benefit Chinese business.

… geographically the US has been pretty lucky and immune from conflict, unlike other parts of the world. Cyberspace changes that—especially because the US is one of the most connected countries. And we increasingly put more of ourselves in this domain.

In fact, the US and China signed an agreement about a year ago that said neither country would use their intelligence services to conduct economic espionage for commercial value or gain.

But they didn’t agree to outlaw espionage. That's in part because governments rely on their intelligence sources as a warning mechanism to see if there are dangers—to validate what's being said in public or private meetings.

Although cyber attacks haven’t yet been seen in traditional warfare, it will come. This will change the American experience of warfare, no?

Yes. What really interests me is that geographically the US has been pretty lucky and immune from conflict, unlike other parts of the world. Cyberspace changes that—especially because the US is one of the most connected countries. And we increasingly put more of ourselves in this domain.

If you think about it, American presidents have used military force about 50 to 60 times since World War II. Those conflicts always take place overseas. We're not defending our own borders. Missile strikes and air strikes are not happening inside the United States. Our enemies have had very little opportunity to retaliate against the US population through traditional warfare.

Banking, telecommunications, and electrical power: these three sectors are vital to the functioning of our society. And they are potentially exposed in future conflicts through other military cyber components.

Let's go back to 2001 and the war in Afghanistan. Let's say the Taliban had the means to counterstrike the United States, and they didn't. Back then they hated technology, though they've embraced it now. Afghans were in the battlespace in 2001, not Americans. The Taliban had no means to attack the United States.

Cyber in the future has the ability to change that. That’s where it exposes Americans and the big sectors. Banking, telecommunications, and electrical power: these three sectors are vital to the functioning of our society. And they are potentially exposed in future conflicts through other military cyber components.

How is the international community working cooperatively to address cyber threats and vulnerabilities? There have been efforts within the UN and NATO to set some standards across the board, but what are some of the challenges?

There are local instances, like the Boston Global Forum. The forum recently convened groups of experts from around the world to develop a set of international norms to regulate government behavior in cyberspace. I was part of the group developing these norms. At a G7 summit in Japan in May 2016, participating nations looked at our norms as a way to try to reinforce state behavior.

The first step we established involved controlling government behavior. The next outlined the responsibility of governments to control malicious behavior that exists below the state level.

Graphic presentation of Boston Global Forum cyber standards

Chinese military intelligence is one problem, but we expect regular bilateral meetings and relationships between the US and China to control state behavior—military or intelligence.

But there isn’t a great mechanism to control individual behavior because organized crime has moved into cyberspace. You can look at tax fraud in the US—people filing false tax returns—and identity theft as examples. This is where governments have to regulate cyber behavior within their own borders.

Cyber security is one of the growth areas at the national level. What's driving this are large scale hacks certainly, because the US systems and networks are so vulnerable. Both at the government and individual level, people recognize we must now prioritize security.

We have to promote these norms. Through the Boston Global Forum in September, we held another meeting on cyber civil defense, which was designed to give civilians some guidelines for dealing with attacks.

Again, let’s contrast this with the terrestrial world. Russian bombers regularly fly down the US West Coast as a show of force. Canadian and American planes intercept these bombers. We’re fairly prepared for those scenarios.

What we’re not prepared for is when, say, Russia-based hackers attack US entities or US individuals. It’s unclear in law whose responsibility that is.

Cyber security is one of the growth areas at the national level. What's driving this are large scale hacks certainly, because the US systems and networks are so vulnerable. Both at the government and individual level, people recognize we must now prioritize security.

Companies—even IT companies—are looking for some clarity on standards. The National Institute for Standards and Technology recently released some efforts to improve cyber security through its Framework for Improving Critical Infrastructure Cybersecurity.

Four Predictions for the Future of Cyber Security

If you had to predict one significant change in our progress in cyber security internationally over the next decade, what would that be?

I can think of a few things. Essentially, we should better regulate behavior between governments and ensure they take responsibility for controlling the malicious activity emerging from their borders.

An agreement on international norms for how governments behave in cyberspace would involve everything from protecting civil liberties to adhering to the Law of Armed Conflict in cyberspace, which outlaws targeting civilians.

​​Governments also have to crack down on malicious cyber activity inside their borders. Organized crime has moved into cyberspace, and identity theft is a business. Tax fraud is a business. Governments have to prioritize those spaces as well. But it’s hard because there's a limited pool of people who have expertise in this area.

A third prediction is that software companies will prioritize security. Cyber attacks are the result of vulnerabilities in the software that we use. As more nontraditional devices like thermostats, televisions, and refrigerators are added to networks, software security needs to improve.

Finally, we will all begin to practice better cyber hygiene. Update your software, don’t click on links that promise things too good to be true, and change your passwords. The future will require us all to be vigilant.

Share this story

More posts from Inside Extension


Comments


Piers (not verified) replied:

With the increase in domestic and business related Smart devices, the risks described appear ever greater?!

October 29, 20165:54am


Add a comment

By submitting this form, you accept the Mollom privacy policy.