Abstract
International relations theory, analysis, policy, and strategy were derived from experiences in the nineteenth and twentieth centuries and, therefore, were built on the assumptions that states are the relevant entities in world politics, and agreements among states will reduce the potential for conflict and violence. This traditional view respects national borders and territorial integrity and assumes that cross-border transgressions are exceptions. But some critical features of cyberspace do not correspond with this traditional view of the state system and the usual ways that nations engage in politics and conflict. Cyberspace has created new ways to aggravate global tensions and new opportunities for avoiding conflict. Already, new patterns of cyber-based conflict have been exposed, from transnational crime and espionage to cyberwar that could disrupt military systems, shut down government servers, or damage critical infrastructure. While there is some emergent cooperation in regard to cyberspace, such as cyber-crime treaties, these efforts are just beginning. An understanding of how the cyber domain influences international relations theory and practice—including its implications for power, politics, conflict, and war—is crucial to the expansion and success of such efforts.
Early in the twenty-first century, new, cyber-based threats to the well-being of individuals, economies, and societies added a new dimension to the well-understood threats of the twentieth century. For the first time in human history, advances in information and communications technologies are potentially accessible to much of the world’s population. These Internet-based advances allow almost anyone to disseminate messages, meaning that a wide range of actors, state and non-state, have the potential to disrupt networks and commerce with relatively little fear of discovery. In cyberspace, it is hard to know with certainty what is behind a particular action—and actions in one place can have effects around the world.
A powerful example of how advances in cyberspace have changed the national security environment is the deployment of Stuxnet, a complex piece of malicious software that reportedly damaged the uranium enrichment facilities of Iran’s nuclear program (Broad and Sanger, 2010). Both Israel and the United States have been blamed as creators of the virus, but in part because of the nature of cyberspace, the origin of the software remains in dispute. 1 Another apparent case of international relations conducted in cyberspace were the 2007 cyber attacks that overwhelmed the websites of prominent Estonian organizations, including public-sector agencies, banks, and media firms. Some Estonian officials blamed Russia for the attacks, but responsibility was never proved. Similarly, in 2010 Google announced that it and a variety of high-tech, security, and defense firms had been targeted in an attempt, apparently originating in China, to gain access to and steal valuable digitized information. The episode resulted in a temporary shutdown of Google’s China site.
This new, cyber dimension of international affairs presents great challenges to deterrence, a cornerstone of national security policy since the end of World War II. In the traditional, pre-Internet deterrence context of the twentieth century, the United States and the Soviet Union—state actors with symmetrical capabilities, known identities, and shared aversions to the escalation of tensions—presided over a bipolar international system. International relations in the twenty-first century, by contrast, involve a large number of new states created at the end of the Cold War, as well as a wide range of non-state actors that inhabit a complex environment characterized by asymmetries, obscured identities, few shared aversions, and diverse, often unknown goals and objectives (Choucri, forthcoming).
Cyber threats are serious, growing, and destabilizing. The deterrence theories and strategies created and employed during the Cold War are not easily portable to the cyber domain. Some prominent research groups are attempting to understand the cyber revolution in international affairs, and governments have made a few efforts to cooperate in cyber matters, notably in the area of Internet-based crime and the creation of Computer Emergency Response Teams (CERT). In general, though, policy responses lag far behind developments in the virtual realm. In large part because of the evolving characteristics of cyberspace, the full range and effects of cyber interactions and the potential scale and scope of cyber threats simply are not well understood. A relatively new joint effort of Harvard and MIT—the Explorations in Cyber International Relations project—aims to create a new research discipline that integrates cyberspace into the fabric of international affairs, in all of its manifestations, such as to eliminate the current tendency to consider cyberspace and international affairs as two distinct parallel arenas or areas of interaction. This new initiative seeks to provide the theories, data, and analytic tools tailored to the complexities of the twenty-first century and necessary for governments to make sense of, and successfully manage, their international relations in the cyber era.
Emerging attention to cyber governance
In his recent book on cyberwar, Richard Clarke, the former US counterterrorism czar, concludes that the international community should develop cooperative strategies for dealing with the new state of international cyber affairs (Clarke and Knacke, 2010). While he highlights treaty making, the broader issues are of bringing order into the chaotic cyber environment. Cyber governance at national and international levels consists of mechanisms designed to institutionalize support for stable and robust cyberspace and cyber-based interactions, to enhance cyber security, to minimize cyber disruption and damage, and to deploy cyber venues that enhance human well-being.
The Convention on Cybercrime, adopted by the Council of Europe on November 8, 2001, stands out as a formal initiative in this arena. The convention focused on copyright infringement, violations of network security, and Internet espionage (Council of Europe, 2001) and tried to foster international cooperation by harmonizing criminal laws and investigative and prosecutorial procedures around the world. By 2012, 32 states had ratified the convention—including the United States, where the convention went into effect in 2007—and another 15 countries had signed but not yet ratified the accord. Importantly, though, China, Russia, and many Eastern European countries have not signed. Despite its incomplete membership, the convention does represent a level of formal cooperation on cyber crime that had not previously existed.
At the same time, however, rivalry among the major powers and contentions over the principles that should govern cyber-based interactions prevent the development of worldwide governance structures for managing cyber crime, as well as many other deleterious activities. For example, China and Russia recently offered the Shanghai Cooperation Organization as a replacement for the Convention on Cybercrime. Founded in 2001, the organization’s membership consists of China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, and Uzbekistan (Scheineson, 2009); on many diplomatic and strategic issues, the organization is more closely aligned to China and Russia than to the United States, Europe, and Japan. But it would be futile to look for internal consistency on all matters of politics—national or international—or to expect consensus on the definition of the problems or on agreement over the priorities for global action. Russia, for example, has a formal policy to focus on the “information war”—defined as actions by a state to undermine another state’s “political, economic, and social systems”—and not on agreements to stop cyber crime.
In the United States, there has been increased talk on the need for a policy to deal with international cyber threats. In 2009, the US government completed a review of its cyber-security policy and created the high-profile Cyber Command, which unifies the Army, Air Force, Navy, and Marines. The Obama administration subsequently appointed Howard Schmidt as the White House cyber-security coordinator, and, in 2011, the US Defense Department developed its own cyber strategy (Department of Defense, 2011).
The public version of this strategy document emphasized five strategic initiatives: treating cyberspace as an operational military domain, employing new defense operating concepts, partnering with other US government agencies and the private sector, building relationships with allies and partners to strengthen collective cyber security, and leveraging the nation’s workforce for technological innovation. Nonetheless, some observers have argued that the strategy is insufficient, because it lacks a unified approach, specific details and timetables, and funding sources (Clarke, 2011; Nakashima, 2011).
At the international level, new institutional mechanisms were designed to support global cyber security, most notably the CERT. Originally developed by the US Defense Advanced Research Projects Agency, the CERT Coordination Center was established at Carnegie Mellon University in November 1988. Since then, the CERT system has expanded worldwide, with more than 250 organizations that deal with Internet security problems. 2 The core functions of the teams—as defined by the coordination center—involve response to security emergencies, promotion of valid security technology, and protection of network continuity. The usual problems of coordination persist, most notably in the collection of data on cyber threats where there is little agreement on definition or measurement practices. Effective coordination will evolve over time, probably at a slower rate than actual threat incidents.
There is widespread recognition of the rapidly changing nature of cyber interactions, the diversity of cyber threats, and the growing potential for response strategies. Existing research initiatives that focus on global cyber security include the NATO Cooperative Cyber Defense Center of Excellence in Estonia and the Information Warfare Monitor, a public–private venture between the Citizen Lab at the Munk School of Global Affairs, University of Toronto, and the SecDev Group, an Ottawa-based think tank. The Information Warfare Monitor recently issued reports on cyber espionage—the theft of national and corporate information from networks—and Chinese cyber-surveillance activities. The NATO Cooperative Cyber Defense Center, established in response to the 2007 Estonia cyber attacks, focuses on expanding capability, cooperation, and information sharing among NATO countries.
A new cyber initiative
The above-mentioned organizations are venues in which some cooperation and research can occur, but there are no programs that have a central mission to provide a theoretical framework as well as the data and analytical tools for understanding and responding to the international cyber reality of the twenty-first century. The joint MIT and Harvard Explorations in Cyber International Relations (ECIR) project, launched in 2009, hopes to change that by creating an integrated view of cyber and “real” international relations. 3 It is designed to realign the foundations of international relations theory and policy with the new realities of cyberspace by establishing a new multidisciplinary field of study. To educate a new generation of researchers, scholars, and analysts and to equip them with the necessary tools for this century, the project aims to clarify threats and opportunities in cyberspace in regard to national security, national welfare, and national influence and to provide analytical tools that can help governments understand and manage the cyber domain as it evolves over time.
Housed at MIT, the joint project consists of 15 faculty members and senior researchers (political science, business and management, and computer science) at MIT and at Harvard University’s Kennedy School of Government and its Law School. There are currently 13 post-doctoral associates or fellows, as well as graduate researchers and undergraduate students. The project activities consist of research, educational initiatives, and outreach initiatives—in addition to the usual scholarly production of publications, policy briefs, and advisory activities, nationally and internationally.
From a theory perspective, the project seeks to understand the opportunities and vulnerabilities created as nations and non-state actors interact in cyberspace—where, how, and with what effects. This interaction is clear in the real world, but there is very little systematic knowledge about this in the cyber world. For example, it is unknown who or what holds the reins of power in the cyber world—that is, exactly what entities, and under what mandate, enable the flow of information (and how they enable this flow at various points in the process). This information must be garnered if basic features of the cyber domain are to be understood.
From a technological perspective, the project explores, for example, the extent to which existing methodologies in analysis of international relations are portable to the cyber arena, and to adjust these as needed, or, alternatively, to customize methods to the cyber domain. There are several key questions that must be answered. Among them: Who will steer the technological evolution of the cyber domain and how? Is the Internet today a model for the future? Is it changing? If so, how? If not, why not?
The policy challenge is to render the toolkit of policy responses more consistent with the complexities of cyber realities. So far, cyberspace has been an open arena. But this is changing. In the United States, lawmakers are struggling with how to manage competing interests, currently illustrated by the 2012 proposed anti-piracy bill. Almost everywhere, there are contentions over regimes for regulating interactions in the cyber domain. China and like-minded states focus on uses of the state-based International Telecommunications Union (ITU) and the IGF (Internet Governance Forum), for example, while the United States and other like-minded states prefer to rely on the private-sector arrangements customized to the cyber domain, such as the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Engineering Task Force (IETF), among others. From a diplomatic perspective, the challenge is to frame new modes and instruments of negotiation to manage the interactions of the real world and cyberspace. Internationally, the World Summit on Information Society (Geneva, 2003; Tunis, 2005) and other similar projects seek to formulate common principles, practices, and priorities for the cyber domain. And the 2011 London Conference on Cyberspace launched—with little apparent success—an international inclusive dialogue to help guide the behavior in cyberspace.
New research initiative
If ECIR is to achieve its mission—notably to improve the understanding and management of cyber interactions, reduce conflict, and enhance efforts to contain or prevent the deployment of cyber weapons of large-scale destruction and large-scale, cyber-driven disruption—it must effectively reduce, if not entirely eliminate, three critical disconnects or gaps in current understandings and practices.
The cyber–theory gap
There is an enormous disconnect between the cyber realities of today and the theories of the twentieth century, which continue to guide national policy and international relations. For example, the emphasis on the state-based system of international relations is increasingly tested more by a wide range of new actors—from Wikileaks’ Julian Assange to the jihadist webmasters of Al Qaeda—with new cyber-enabled modes of interaction. To close the cyber-theory gap, the collaboration between one of the authors of this article, political scientist Nazli Choucri, and computer scientist David D. Clark, who in the 1980s led development of the Internet’s architecture, created a framework for integrating cyberspace into the fabric of twenty-first-century international relations. One of the most significant insights gained so far from this mapping effort involves the large degree to which the entire cyber system is run and controlled by the private sector in a world where state-based international institutions are seeking to extend sovereign authority over the cyber domain.
The empirical–data gap
Well-recognized, there is a powerful disconnect between cyber activities on the one hand and the quality, integration, and consistency of the data about these activities on the other. To close these gaps, ECIR set out to identify, collect, and reconcile (where possible) existing data sets relevant to cyber international relations and propose new uses and integration of data into theory and policy. It must also find ways of facilitating analysis of large-scale data—such as statistics on cyber access by country—from diverse perspectives and for different purposes.
An example of research to close the empirical–data gap is the construction of the cyber-data dashboard—developed by the ECIR team and led by MIT computer scientist Stuart Madnick—to harness and, to the extent possible, reconcile diverse cyber-data sources, including CERT data. The dashboard functions as a simple, easy-to-use source for global and nation-level data, with specific emphasis on cyber-security threat data and high-profile events. Its first version focuses on the data generated by CERT to provide a coherent overview of cyber-threat incidents worldwide.
The policy–analysis gap
This disconnect is between traditional modes of policy analysis and the realities that focus largely on states and threats through the cyber domain that involve non-state actors, isolated individuals, or groups whose identity is not known, for example. Generally, national leaders turn to past policies—based on past realities—when responding to new challenges. In some arenas, this can be a wise practice, and one supported by institutional and bureaucratic logic, but there are no precedents for cyberspace as a domain of international interaction.
Closing the policy–analysis gap is perhaps best illustrated by one of ECIR’s research activities. It involves modeling the cyber politics surrounding the Arab Spring, which highlighted the fragility of regimes worldwide and the ability of coordinated dissidents to challenge or topple governments with the help of cyber organizing tools. Political revolts in seven countries were triggered by the events in Tunisia in December 2010, followed by a similar but more far-reaching initiative in Egypt. A modeling effort led by Daniel Goldsmith and Michael Siegel, both at the MIT Sloan School of Management, is a dynamic simulation project that investigates how cyber venues are used in the pursuit of regime change. The analysis shows how cyber interventions both enable dissidents, via faster and more widespread messaging capability, and enable regimes, via the ability to block content on, block access to, and gather intelligence through the Internet. The nature of the race between them was powerfully influenced by the dissidents’ use of social networks and, when the Internet was shut down, the use of traditional phone lines.
Conclusion
If the ECIR mission is to be successful, it must integrate the real and the cyber into a unified framework to help steer policy makers and practitioners through the twenty-first century—and, of course, provide a new generation with a relevant education buttressed by methods of inquiry, educational capabilities, and tools of analysis for current realities.
The remarkable growth of cyber access worldwide has brought with it an increasing diversity of actors and entities. English—long the dominant language on the Internet—is now used by less than 30 percent of the Internet population. All countries, and a large fraction of the world’s population, are engaged in the cyber domain. And these shifts in the cyber demography and ecology have real-world ramifications that have few precedents if any.
Time is most certainly of the essence: What we see, know, and understand today in the cyber domain may not be the same realities of tomorrow.
Footnotes
Funding
This work is funded by the Office of Naval Research under award number N00014-09-1-0597. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the Office of Naval Research.