Location:
Columbia Institute for Tele-information
Columbia University Business School
1:35pm-2:30pm June 28, 2019
The State of Cyber-Security and Resilience
Moderator: Professor Richard Berner, Executive-in-Residence and Adjunct Professor, Leonard Stern School of Business, New York University
● Jason Healey, Senior Research Scholar, School for International and Public Affairs, Columbia University
● David Balcar, Security Strategist / Cyber Profiler, Carbon Black
● Rich Jacobs, Assistant Special Agent, FBI
● Lesley Ritter, Associate Vice President, Moody's
● Dr. Edward M. Roche, Executive Director, Institute for Cyber Arms Control
Below: Panel Comments of Edward M. Roche
Title: Cyber Stability
A political science perspective.
There is an arms race.
Nations are developing both offensive and defense cyber weapons.
In the US, this work is done by the NSA’s Cyber Command.
Other countries have equivalent organizations.
Cyber has become part of warfare.
Cyber attacks damage infrastructure, including financial services.
Perhaps in the not too distant future, there will be a very major cyber war.
An Internet Melt-down –– a global cyber emergency.
Disruption of nations and their economies.
How can the international community handle such a catastrophic event?
Lets look back.
Role of the United Nations Security Council
The UN Security Council was set up to serve as a mechanism to prevent war.
But in 1946, when the UN Charter was drafted, there was no Internet.
The UN was designed to handle conventional warfare.
You know, bombs, guns, battleships, that kind of thing.
Some have argued cyber makes the UN obsolete.
Since cyber attacks are not “kinetic” in nature, there is no role for international peacekeeping.
That is not correct.
In order for the UN to act, it merely must determine under Article 39 of its Charter that there is a threat to international peace and security.
My analysis of Security Council resolutions since 1947 shows that that although at the beginning, it focused on conventional military conflict, over time it has considerably expanded the definition of a threat to international peace and security.
In the past two decades, it has applied Article 39 to situations as diverse as HIV/AIDS, sexual violence, economic underdevelopment, and even transnational crime.
What this means in practical terms is that should there be an international cyber emergency, there is absolutely no barrier to the Security Council being called into action.
But how would this work?
Article 41 of the UN Charter
Under Article 41, the Security Council can call on member States to interrupt or blockade the telecommunications of a country causing the disturbance.
In today’s terms this would mean putting a kill switch on the Internet.
In the offending nation, all of the social media, cloud services, email, and apps would go dark.
Yes, the Security Council could do that.
Would this have an effect? Yes, particularly in a cyber war.
But how would this really work?
After all, most cyber is run by private enterprise.
Could the NSA tell Facebook to cut off access in a country?
Could the U.S. government give commands to Google, or Apple, or Microsoft?
No.
And if some genius proposed enabling legislation to compel US tech giants to comply with UN resolutions, well, the lobbyists in Congress would ensure it never comes to a vote.
So what is the solution?
Perhaps a voluntary code of conduct would be a starting point.
The Cyber Arms Race
But the bigger problem is the cyber arms race.
There is an urgent need for an international convention to control the proliferation of cyber weapons.
Cyber non-proliferation.
But cyber weapons are different.
They are invisible.
With nuclear weapons, there is a complicated fuel cycle for manufacturing.
But with malicious code circulated on the Dark Web, creating weapons is only cut and paste.
How can one define a cyber weapon?
Are all viruses weapons?
They may not be counted like bombs or rockets.
What does that mean? That no arms control treaty could have a quantitative element?
If you don’t count, then what exactly is going to be controlled?
Why would countries give up their cyber weapons? Or even admit they have them?
Is international law the answer?
Law is evolving at its typically glacial pace.
Informal norms may lead to binding norms, then to customary international law, then to treaties.
UN Norms for Cyber Stability
The UN General Assembly First Committee, which looks at disarmament, has been working on cyber norms.
For example, cyber attacks should not target Emergency Response Teams.
A nation should not allow its territory to be used as a base for cyber attacks.
Nations should cooperate in investigating the source of an attack.
Nations should guarantee the security of the ICT supply chain to prevent tampering with equipment.
Cyber weapons should never target medical facilities.
But to be honest, a close reading of these norms reveals loopholes.
For example, a norm may have a phrase such as “in accordance with legal obligations”.
Self-defense is a legal obligation, so there is a loophole for defensive cyber weapons.
But don’t be too cynical about it.
Right now, this is the best that we can do, folks.
Just remember one phrase: “Non-proliferation of cyber weapons”.
Everything else will follow.