by Jared Cohen
Development assistance and foreign aid will take on a digital dimension too, buoyed by these new multilateral alliances. The trade of foreign assistance for future influence won’t change, but the components will. In a given developing country, one foreign power might be building roads, another investing in agriculture and a third building fiber networks and cell towers. In the digital age, modern technology becomes yet another tool for forging alliances with developing states; we shouldn’t underestimate how important technological competency will be for these countries and their governments. The push for foreign aid in the shape of fast networks, modern devices, and cheap and plentiful bandwidth may come from the population, pressuring the governments to agree to the necessary preconditions. Whatever the impetus, future states in the developing world will make a long-term bet on connectivity and align their diplomatic relationships accordingly.
New alliances will form around commercial interests as well, particularly copyright and intellectual-property issues. As commerce moves increasingly to the online world, the dynamics around copyright enforcement will lead to another layer of virtual alliances and adversaries. Most copyright and intellectual-property laws are still centered on the notion of physical goods, and there are divergent attitudes about whether theft or piracy of online goods (movies, music and other content) are equivalent to the theft of physical versions of those same items. In the future, states will begin to wade more deeply into legal battles over copyright and intellectual property because the health of their commercial sectors will be at stake.
There have been multiple international agreements dealing with copyright laws: the Berne Convention of 1886, which requires mutual recognition of the copyrights of other signatory states; the Agreement on Trade-Related Aspects of Intellectual Property Rights of 1994, which set the minimum standards for intellectual-property rights in World Trade Organization (WTO) states; and the World Intellectual Property Organization (WIPO) Copyright Treaty of 1996, which protects information-technology copyrights against infringement. The laws that govern copyright around the world are generally the same. But each country is responsible for enforcement within its borders, and not all countries are equally vigilant. Given the ease with which information crosses borders, people who pirate copyrighted material are typically able to find virtual safe havens in countries with less stringent regulation.
The great concern among intellectual-property watchers in the technology world is China. Because it is a signatory to the conventions above, technically it is bound to the same standards as other countries, including the United States. At the Asia-Pacific Economic Cooperation (APEC) CEO Summit in 2011, then Chinese president Hu Jintao privately told a small group of business leaders that China would “fully implement all of the intellectual property laws as required by the World Trade Organization and modern Western practices.” We attended this meeting, and as we filed out of the room after President Hu’s comments, the American business contingent clearly expressed skepticism toward his claim. And with good reason: It’s estimated that U.S. companies lost approximately $3.5 billion in 2009 alone because of pirated music recordings and software from China, and that 79 percent of all copyright-infringing goods seized in the United States were produced in China. Clearly, it’s not the absence of laws that contribute to this problem, but their lack of enforcement. Officially, it’s against Chinese law to produce counterfeit goods or to copy intellectual property for profit, but in practice, officials are discouraged from pursuing criminal prosecution of these crimes; violators are allowed to keep their profits. Moreover, the fines for violating the laws are too low and too irregularly issued to be effective in deterring such behavior, and corruption at local and regional levels encourages officials to turn the other way and ignore repeated violations.
China is by no means the only state unwilling or unable to enforce international intellectual-property norms. Russia, India and Pakistan have all been singled out for their equally dismal enforcement of these laws. Israel and Canada aren’t normally considered hotbeds of copyright infringement, but neither country has fully implemented the standards and laws of the WIPO, making them a haven for Internet piracy. And within the group of states that do have strong protections for intellectual-property rights, there are usually significant and exploitable differences in interpretation. For example, the notion of fair use (as the United States terms it) or fair dealing (as the British do), which allows for the limited use of copyrighted material without consent from the copyright holder, is far more tightly controlled in the European Union than it is in either the United States or the United Kingdom.
Virtual Statehood
One of our recurring themes is that in the virtual world, size matters less. Technology empowers all parties, and allows smaller actors to have outsized impacts. And those actors need not be known or official. To wit, we believe it’s possible that virtual states will be created and will shake up the online landscape of physical states in the future.
There are hundreds of active violent and nonviolent secessionist movements in the world today, and this is unlikely to change in the future. A large portion of the movements are motivated by perceived ethnic or religious discrimination, and shortly we will discuss how physical discrimination and persecution of these groups will play out online, changing shape but not intent. In the physical world, it’s not uncommon for persecuted groups to be subject to different laws and vulnerable to indeterminate detention, extrajudicial killings, the absence of due process, and all manner of restrictions on their civil and human liberties, and most of these tactics will find their way online, aided significantly by technology that helps regimes monitor, harass and target their restive minority populations.
Hounded in both the physical and virtual worlds, groups that lack formal statehood may choose to emulate it online. While not as legitimate or useful as actual statehood, the opportunity to establish sovereignty virtually could prove to be, in the best cases, a meaningful step toward official statehood, or in the worst cases, an escalation that further entrenches both sides in a messy civil conflict. The Kurdish populations in Iran, Turkey, Syria and Iraq—the four countries where they are most concentrated—might build a Kurdish web as a way to carve out a sort of virtual independence. Iraqi Kurdistan is already quasi-autonomous, so the efforts could begin there. Kurds could establish a top-level domain (e.g., www.yahoo.com.krd), with “krd” standing for Kurdistan, by registering a new domain and basing the servers in a neutral or supportive country. Then they’d build upon that.
Virtual statehood would be much more than just a gesture and a domain name. Additional projects could also develop a distinct Kurdish presence online. With enough effort, the Kurdish web could become a robust version of other countries’ Internet, in the Kurdish language, of course. From there, Kurdish or sympathetic engineers could build applications, databases and other online destinations that not only support the Kurdish cause but actually facilitate it. The virtual Kurdish community could hold elections and set up ministries to deliver basic public goods. They could even use a unique online currency. The virtual minister of information would manage the data flow to and from the online Kurdish “citizens.” The minister of the interior would focus on preserving the security of the virtual state and protecting it from cyber attack. The foreign minister would engage in diplomatic relations with other, actual states. The economic and trade minister would promote e-commerce between Kurdish communities and outside economic interests.
Just as secessionist efforts to move toward physical statehood are typically resisted strongly by the host state, such groups would face similar opposition to their online maneuvers. The creation of a virtual Chechnya might cement ethnic and political solidarity among its supporters in the Caucasus region, but it would no doubt worsen relations with the Russian government, which would consider such a move a violation of its sovereignty. The Kremlin might well respond to virtual provocation with a physical crackdown, rolling in tanks and troops to quell the stirri
ngs in Chechnya.
For the Kurds, who stretch across several countries, this risk would be even more pronounced, as a Kurdish virtual-statehood campaign would be met with resistance from the entire neighborhood, some of whom lack Kurdish populations but would fear a destabilizing effect. No effort would be spared to destroy the Kurdish virtual institutions through low-grade cyber-meddling and espionage, like cyber attacks, disinformation campaigns and infiltration. The populations on the ground would surely bear the brunt of the punishment. The governments would be aided, of course, by the massive amounts of data that these citizens produced, so finding the people involved or supportive of virtual statehood would be easy. Very few secessionist movements have the level of resources and international support that would be required to match this level of counterattack.
Declaring virtual statehood would become an act of treason, not just in restive regions but almost everywhere. It’s simply too risky an avenue to leave open. The concept of virtual institutions alone could breathe new life into secessionist groups that have tried and failed to produce concrete outcomes through violent means, like the Basque separatists in Spain, the Abkhaz nationalists in Georgia or the Moro Islamic Liberation Front in the Philippines. One failed or unsuitable effort could also break the experiment altogether. If, for example, the lingering supporters of the Texas secession movement rallied together to launch a virtual Republic of Texas, and they were met with derision, the concept of virtual statehood might be sullied for some time. How successful these virtual statehood claims would be (what would constitute success, in the end?) remains to be seen, but the fact that this will be feasible says something significant about the diffusion of state power in the digital age.
Digital Provocation and
Cyber War
No discussion on the future of connected states would be complete without a look at the worst things they’ll do to each other: namely, launch cyber wars. Cyber warfare is not a new concept, nor are its parameters well established. Computer security experts continue to debate how great the threat is, what it looks like and what actually constitutes an act of cyber war. For our purposes, we’ll use the definition of cyber warfare offered by the former U.S. counterterrorism chief Richard Clarke: actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.4
Cyber attacks—including digital espionage, sabotage, infiltration and other mischief—are, as we established earlier, very difficult to trace and have the potential to inflict serious damage. Both terrorist groups and states will make use of cyber-war tactics, though governments will focus more on information-gathering than outright destruction. For states, cyber war will primarily meet intelligence objectives, even if the methods employed are similar to those used by independent actors looking to cause trouble. Stealing trade secrets, accessing classified information, infiltrating government systems, disseminating misinformation—all traditional activities of intelligence agencies—will make up the bulk of cyber attacks between states in the future. Others fundamentally disagree with us on this point, predicting instead that states will seek to destroy their enemies by heavy-handed methods like cutting off power grids remotely or crashing stock markets. In October 2012, the U.S. secretary of defense, Leon Panetta, warned, “An aggressor nation … could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” We tend to take the optimist’s perspective (at least when it comes to states) and say that such escalations, while possible, are highly unlikely, if only because the government that first starts this trend would itself become a target as well as set a precedent that even the most erratic regimes would be cautious to approach.
It’s fair to say that we’re already living in an age of state-led cyber war, even if most of us aren’t aware of it. Right now, the government of a foreign country could be hacking into your government’s databases, crashing its servers or monitoring its conversations. To outside observers, our current stage of cyber war might seem benign (indeed, some might contend that it’s not really “war” anyway, as per the classical Clausewitzian framework of “war as a continuation of policy by other means”). Government-backed engineers might be trying to infiltrate or shut down the information systems of companies and institutions in other countries, but no one is getting killed or wounded. We’ve seen so little spillage of these cyber wars into the physical world that for civilians, a cyber attack seems more an inconvenience than a threat, like an attack of the common cold.
But those who underestimate the threat of cyber war do so at their peril. While not all the hype surrounding cyber war is justified, the risks are real. Cyber attacks are occurring with greater frequency and more precision with each passing year. The increasing entwining of our lives with digital-information systems leaves us more vulnerable with each click. And as many more countries come online in the near future, those vulnerabilities will only expand and become more complicated.
A cyber attack might be the state’s perfect weapon: powerful, customizable and anonymous. Tactics like hacking, deploying computer worms or Trojan horses and other forms of virtual espionage present states with more reach and more cover than they would have with traditional weapons or intelligence operations. The evidence trails they leave are cold, providing perpetrators with effective camouflage and severely limiting the response capability of the victims. Even if an attack could be traced back to a particular region or town, identifying the responsible parties is nearly impossible. How can a country determine an appropriate response if it can’t prove culpability? According to Craig Mundie, Microsoft’s chief research and strategy officer and a leading thinker in Internet security, the lack of attribution—one of our familiar themes—makes this a war conducted in the dark, because “it’s just much harder to know who took the shot at you.” Mundie calls cyber-espionage tactics “weapons of mass disruption.” “Their proliferation will be much faster, making this a much stealthier kind of conflict than has classically been determined as warfare,” he said.
States will do things to each other online that would be too provocative to do off-line, allowing conflicts to play out in the virtual battleground while all else remains calm. The promise of near-airtight anonymity will make cyber attacks an attractive option for countries that don’t want to appear overtly aggressive but remain committed to undermining their enemies. Until the world’s technical experts get better at determining the origin of cyber attacks and the law is able to hold perpetrators to account, many more states will join in on the activities we see today. Blocks of states that are already gaining connectivity and technical capacity, in Latin America, Southeast Asia and the Middle East, will begin launching their own cyber attacks soon, if only to test the waters. Even those who lack indigenous technical skills (e.g., local engineers and hackers) will find ways to get the tools they need.
Let’s consider a few recent examples to better illustrate the universe of cyber warfare. Perhaps the most famous is the Stuxnet worm, which was discovered in 2010 and was considered the most sophisticated piece of malware ever revealed, until a virus known as Flame, discovered in 2012, claimed that title. Designed to affect a particular type of industrial control system that ran on the Windows operating system, Stuxnet was discovered to have infiltrated the monitoring systems of Iran’s Natanz nuclear-enrichment facility, causing the centrifuges to abruptly speed up or slow down to the point of self-destruction while simultaneously disabling the alarm systems. Because the Iranian systems were not linked to the Internet, the worm must have been uploaded directly, perhaps unwittingly introduced by a Natanz employee on a USB flash drive. The vulnerabilities in the Windows systems were subsequently patched up, but not after causing some damage to the Iranian nuclear effort, as the Iranian president, Mahmoud Ahmadinejad, admitted.
Initial efforts to locate the creators of the worm were inconclusive, though most believed that its target and level of sophistication pointed to a state-backed effort. Among other reasons, security analysts unpacking the worm (their efforts made possible because Stuxnet had escaped “into the wild”—that is, beyond the Natanz plant) noticed specific references to dates and biblical stories in the code that would be highly symbolic to Israelis. (Others argued that the indicators were far too obvious, and thus false flags.) The resources involved also suggested government production: Experts thought the worm was written by as many as thirty people over several months. And it used an unprecedented number of “zero-day” exploits, malicious computer attacks exposing vulnerabilities (security holes) in computer programs that were unknown to the program’s creator (in this case, the Windows operating system) before the day of the attack, thus leaving zero days to prepare for it. The discovery of one zero-day exploit is considered a rare event—and exploited information can be sold for hundreds of thousands of dollars on the black market—so security analysts were stunned to discover that an early variant of Stuxnet took advantage of five.
Sure enough, it was revealed in June 2012 that not one but two governments were behind the deployment of the Stuxnet worm. Unnamed Obama administration officials confirmed to the New York Times journalist David E. Sanger that Stuxnet was a joint U.S. and Israeli project designed to stall and disrupt the suspected Iranian nuclear-weapons program.5 Initially green-lit under President George W. Bush, the initiative, code-named Olympic Games, was carried into the next administration and in fact accelerated by President Obama, who personally authorized successive deployments of this cyber weapon. After building the malware and testing it on functioning replicas of the Natanz plant built in the United States—and discovering that it could, in fact, cause the centrifuges to break apart—the U.S. government approved the worm for deployment. The significance of this step was not lost on American officials.6 As Michael V. Hayden, the former CIA director, told Sanger, “Previous cyberattacks had effects limited to other computers. This is the first attack of a major nature in which a cyberattack was used to effect physical destruction. Somebody crossed the Rubicon.”
