by Jared Cohen
The episodes that prompt these discussions will probably not be state-to-state cyber warfare; a more likely driver will be state-sponsored corporate espionage. States can contain the fallout of attacks on their own governmental networks, but if companies are targeted, the attacks are much more public and can affect more people if user or customer data is involved. Globalization also makes digital corporate espionage a more fruitful endeavor for states. As companies look to expand their reach into new markets, inside information about their operations and future plans can help local entities win contracts and regional favor. To examine why this is true and what it means for the future, we have to look, again, at China.
While China is by no means the only country engaging in cyber attacks on foreign companies, today it is the most sophisticated and prolific. Beijing’s willingness to engage in corporate espionage, as well as to sanction its companies to do the same, results in a heightened vulnerability for foreign corporations, not just those looking to work in China but those everywhere in the world. The previously mentioned Chinese cyber attack against Google and dozens of other companies in 2009 is hardly an isolated case; in only the past few years, the industrial-espionage campaign led by Chinese spy agencies has targeted American companies producing everything from semiconductors and motor vehicles to jet-propulsion technology. (Of course, corporate espionage is not a new phenomenon. In one famous nineteenth-century example, England’s East India Company hired a Scottish botanist to smuggle Chinese plants and secrets from China into India—which he did successfully, dressed as a Chinese merchant—to break the Chinese monopoly on tea.)
What is new about this latest iteration of corporate espionage is that, in the digital era, so much work can be done remotely and near-anonymously. As we’ll see shortly in our discussion of automated warfare, this is a crucial new technological development that will affect many areas in our future world. We live in an age of expansion, and as China and other emerging superpowers seek to expand their economic foothold around the world, digital corporate espionage will greatly enhance their abilities to grow. Whether officially state-sponsored or simply encouraged by the state, hacking into competitors’ e-mails and systems to obtain proprietary information will certainly give players an unfair advantage in the market. Several business leaders of major American corporations have told us in confidence about deals they lost in Africa and other emerging markets because of what they believe to be Chinese spying or theft of sensitive information (which was then used to thwart or commandeer their deals).
Today, the majority of cases of corporate espionage between China and the United States appear to involve opportunists rather than the visible hand of the state. There was the Chinese couple in Michigan who stole trade information related to General Motors’ research into hybrid cars (which the company estimated to be worth $40 million) and tried to sell it to Chery Automobile, a Chinese competitor. There was the Chinese employee of Valspar Corporation, a leading paint and coatings manufacturer, who illegally downloaded confidential formulas valued at $20 million, intending to sell them to China, and the DuPont chemical researcher who stole information on organic light-emitting diodes, which he planned to give to a Chinese university. None of these actors was tied directly to the Chinese government, and in fact they may simply have been private individuals looking to profit from confidential trade secrets. But we also know that in China, where most major companies are state-owned or heavily influenced by the state, the government has conducted or sanctioned numerous intelligence-gathering cyber attacks against American companies. There can be little doubt that the attacks we know about represent a small percentage of those attempted, whether successful or not.
The United States will not take the same path of digital corporate espionage, as its laws are much stricter (and better enforced) and because illicit competition violates the American sense of fair play. This is a difference in values as much as a legal one—as we discussed earlier, China today does not rate intellectual property rights very highly. But the disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States at a distinct disadvantage. American firms will have to fiercely protect their own information and patrol their network’s borders, as well as monitor a range of internal threats (all of the individuals in the above examples legitimately worked for those companies), just to remain competitive.
• • •
The current economic espionage will continue for decades, both between the United States and China and between other nations that gain the required technical capabilities and see the competitive advantages it offers. There will be no dramatic escalation for the same reason that we’ll have an ongoing but relatively stable Code War: the lack of attribution in cyber attacks. The Chinese government is free to support or partake in any number of cyber attacks against foreign companies or human-rights organizations so long as their involvement cannot be definitively proven.7
But there are strategies we can use to mitigate the damage caused by cyber attacks in addition to introducing some vulnerability on the part of the attackers. One idea comes from Microsoft’s Craig Mundie: virtual quarantine. As we’ve described, many cyber attacks today come in the form of DDoS attacks and regular denial-of-service (DoS) attacks, which require the use of one “open” or insecure computer on a network that the attacker can use as a base of operations to build his “zombie army” of compromised devices. (DoS attacks could be generated by a small number of hyperactive attacking machines; DDoS attacks are generated by a large, distributed—hence the extra “D”—network of attacking machines, often comprised of hacked computers owned by everyday users ignorant of the fact that their computers are being manipulated in this way.) One neglected or unprotected device on the network—a never-used laptop in a science lab, or a personal computer an employee brings to work—can become the attacker’s base and then compromise the whole system.8
Quarantine mechanisms contain this attack by enabling the ISP to shut off an infected computer as soon as it recognizes it, unilaterally and without owner authorization, taking the computer off-line. “The basic premise is that when you have a network disease, you have to find a way to slow the spread rate,” Mundie explained. “We quarantine people involuntarily, but in cyberspace we haven’t yet decided that quarantining is the right thing to do.” When any machine shows signs of virus or disease, it must be “isolated, contained and healed before being exposed to healthy systems,” he added. Users often don’t recognize when their computers have been compromised, so allowing the ISPs to conduct these actions will bring about a much faster resolution. Depending on how the mechanism works and what kind of attack is being used, the attackers may or may not recognize that the infected device is off-line—but the user would find his Internet connection inoperable, by mandate of the ISP. By denying the attackers the ability to reach through the infected computer, the harm they can do is greatly reduced.
In Mundie’s vision, there would be a neutral international organization to which ISPs could report the IP addresses of infected computers. This way ISPs and states around the world could refuse to let quarantined IP addresses into their online space, cutting off the range of the cyber attack. In the meantime, investigators could watch the cyber attackers from a distance (the attackers would not know the device had been quarantined) and gather information about them to help trace the origin of the attacks. Only when the user had certifiably cleaned his device (with special antivirus software) would his IP address be released from quarantine. In addition to an international organization leading these changes, we might see in parallel the creation of an international treaty around the automatic takedown mechanism. International agreement about swift action to deal with infected networks would be a big step forward in fighting cyber attacks. States that do not agree to the treaty might risk having their whole country considered quarantined, thus putting it off-line for much of the world’s users.
Stronger network secur
ity will improve the odds for potential targets well before any quarantining is required. One of the basic problems in computer security is that it typically takes much more effort to build defenses than to penetrate them; sometimes programs to secure sensitive information rely on 10 million lines of code while attackers can penetrate them with only 125 lines. Regina Dugan, a senior vice-president at Google, is a former director of DARPA (the Defense Advanced Research Projects Agency), where her mandate included advancing cybersecurity for the U.S. government. She explained to us that, to effectively counter this imbalance, “We went after the technological shifts that would change that basic asymmetry.” And, like Mundie, Dugan and DARPA turned to biology as one of the ways to counter the imbalance: They brought together cybersecurity experts and infectious-disease scientists; the result was a program called CRASH, the Clean-Slate Design of Resilient, Adaptive, Secure Hosts.
The philosophy behind CRASH recognized that human bodies are genetically diverse and have immune systems designed to process and adapt to viruses that pass through them, while computers tend to be very similar in their structure, which enables malware to attack large numbers of systems efficiently. “What we observed in cybersecurity,” Dugan said, “is that we needed to create the equivalent of an adaptive immune system in computer security architecture.” Computers can continue to look and operate in similar ways, but there will have to be unique differences among them developed over time to protect and differentiate each system. “What that means is that an adversary now has to write one hundred and twenty-five lines of code against millions of computers—that’s how you shift the asymmetry.” The lesson learned is undoubtedly applicable beyond cybersecurity; as Dugan put it, “If that initial observation tells you this is a losing proposition, you need something foundationally different, and that in and of itself reveals opportunities.” In other words, if you can’t win the game, change the rules.
Still, despite some tools for dealing with cyber attacks, lack of attribution online will remain a serious challenge in computer and network security. As a general rule, with enough “anonymizing” layers between one node and another on the Internet, there is no way to trace data packets back to their source. While grappling with these issues, we must remember that the Internet was not built with criminals in mind—it was based on a model of trust. It’s challenging to determine who you are dealing with online. Information-technology (IT) security experts get better at protecting users, systems and information every day, but the criminal and anarchic elements on the web grow equally sophisticated. This is a cat-and-mouse game that will play out as long as the Internet exists. The publication of cyber-attack and malware details will help, on a net level; once the components of the Stuxnet worm were unpacked and published, the software it used was patched and cyber-security experts could work on how to protect systems against malware like it. Certain strategies, like universal user registration, might work too, but we have a long way to go before Internet security is effective enough everywhere to prevent simple cyber attacks. We are left once again with the duality of the online world: Anonymity can present opportunities for good or ill, whether the actor is a civilian, a state or a company, and it will ultimately depend on humans how these opportunities manifest themselves in the future.
To summarize: States will long for the days when they only had to think about foreign and domestic policies in the physical world. If it were possible to merely replicate these policies in the virtual realm, perhaps the future of statecraft would not be so complex. But states will have to contend with the fact that governing at home and influencing abroad is far more difficult now. States will pull the most powerful levers they have, which include the control they hold over the Internet in their own countries, changing the online experiences of their citizens and banding together with like-minded allies to exert influence in the virtual world. This disparity between power in the real world and power in the virtual world presents opportunities for some new or underappreciated actors, including small states looking to punch above their weight and would-be states with a lot of courage.
States looking to understand each other’s behavior, academics studying international relations, and NGOs and businesses operating on the ground within sovereign territory will need to do separate assessments for the physical and virtual worlds, understanding which events that occur in one world or the other have implications in both, and navigating the contradictions that may exist between a government’s physical and virtual foreign and domestic policies. It is hard enough to get this right in a world that is just physical, but in the new digital age error and miscalculation will occur more often. Internationally, the result will be more cyber conflict and new types of physical wars, and, as we will now see, new revolutions.
1 We recommend the 2006 book Who Controls the Internet?: Illusions of a Borderless World, by Jack Goldsmith and Tim Wu, which puts forth this scenario with great clarity.
2 Internet Balkans, as we refer to them, are different than intranets. An intranet uses the same Internet protocol technology but is limited to a network within an organization or local area, instead of a network of other networks. Corporate intranets are often protected from unauthorized external access by firewalls or other gateway mechanisms.
3 Smaller incidents, however, do suggest that governments are capable and perhaps comfortable manipulating DNS routing on occasion. More than a few times, Google’s web address has mysteriously directed people to www.Baidu.com, China’s local search competitor.
4 We distinguish between “cyber attack” and “cyber terrorism” by looking at the individual or entity behind the attack and assessing motives. The two, however, may manifest themselves in very similar ways, such as economic espionage.
5 When we asked the former Israeli intelligence chief Meir Dagan about the collaboration, his only comment was, “Do you really expect me to tell you?”
6 Larry Constantine, a professor at the University of Madeira, in Portugal, challenges Sanger’s analysis in a September 4, 2012, interview podcast with Steven Cherry, an associate senior editor at IEEE Spectrum, the magazine of the Institute of Electrical and Electronics Engineers, arguing that it is technically impossible for Stuxnet to have spread in the manner that Sanger described (e.g., Stuxnet could spread only over a LAN—local area network—not the Internet). Our view is that Constantine’s argument has enough validity to at least warrant debate.
7 Eventually, the Chinese government will be caught red-handed in one of these industrial attacks. If the case is presented to the United Nations Security Council, no resolution will ever be approved, owing to China’s veto power, but the outcome will nevertheless be serious geopolitical embarrassment.
8 There’s an important distinction that needs to be made here. For the purposes of DoS and DDoS attacks, it’s not always relevant whether any compromised computers are inside or outside the target’s network. Where it matters most is in industrial espionage, when the goal is information extraction; in those cases, computers must be inside the network.
CHAPTER 4
The Future of Revolution
We all know the story of the Arab Spring, but what we don’t know is what comes next. There can be little doubt that the near future will be full of revolutionary movements, as communication technologies enable new connections and generate more room for expression. And it’s clear that certain tactical efforts, like mobilizing crowds or disseminating material, will get easier as mobile and Internet penetration rates rise across many countries.
But despite seeing more revolutionary movements, we’ll see fewer revolutionary outcomes—fully realized revolutions resulting in dramatic and progressive political turnover. A lack of sustainable leaders combined with savvier state responses will impede profound change (both good and bad) on the scale of the Arab revolutions that began in late 2010. Throughout history, the technologies of the time have stimulated and shaped how revolutions developed, but at a fundamental level all successful revolutions share common
factors, like institutional structure, outside support and cultural cohesiveness. The historical record is littered with failed attempts that lacked these basic elements, from Russian revolutionary efforts prior to 1917 through Iraq’s Shia uprising in 1991 and the 2009 Green Revolution in Iran. Modern technology, powerful as it is, cannot work miracles, though it can improve the odds of success dramatically.
With so many people connected in so many places, the future will contain the most active, outspoken and globalized civil society the world has ever known. In the beginning of revolutionary movements, the noisy nature of the virtual world will impede the ability of state security to keep up with and crush revolutionary activity, enabling a revolution to start. But how quickly this can happen presents a new problem, since leaders will then have to operate in the physical world of parliaments, constitutions and electoral politics—none of which they’ll have the skill or experience to navigate effectively.
Easier to Start …
As connectivity spreads and new portions of the world are welcomed into the online fold, revolutions will continually sprout up, more casually and more often than at any other time in history. With new access to virtual space and to its technologies, populations and groups all around the world will seize their moment, addressing long-held grievances or new concerns with tenacity and conviction. Many leading these charges will be young, not just because so many of the countries coming online have incredibly young populations—Ethiopia, Pakistan and the Philippines are three examples where the majority of the population is under the age of thirty-five—but also because the mix of activism and arrogance in young people is universal. They already believe they know how to fix things, so, given the opportunity to take a public stand, they won’t hesitate.
