The Lawless Realm
Countering the Real Cyber Threat
(By Marietje Schaake - November/December 2020 – Foreign Affairs Magazine)
This past summer, a host of public organizations as varied as the Norwegian parliament, the New Zealand stock exchange, and the Vatican all came under attack. No shots were fired, no doors knocked down, no bombs exploded. Instead, the attackers managed to intrude into these institutions’ internal networks in attempts to commit espionage, disrupt daily affairs, or ransom or blackmail victims. Incidents of this kind are just the tip of the iceberg. Cyber attacks are constantly taking place, and many intrusions go unnoticed and unreported. In democratic countries, only intelligence agencies and private companies can reach a detailed understanding of cyber attacks and the risks they pose. Everyone else must scramble for information about what actually happens below the surface of the digital world.
For years, policymakers who pay attention to new threats have pointed to the possibility of a “cyber–Pearl Harbor,” a devastating attack on a country’s critical digital infrastructure. But the more immediate risk comes from attacks below that threshold, intrusions that can still cause grave damage. In 2017, hackers exploited a vulnerability in the Microsoft Windows operating system to infect over 300,000 computer systems in 150 countries with a malicious virus. The virus, called WannaCry, affected individuals, companies, and state agencies, including the National Health Service in the United Kingdom, where it led to the cancellation of over 19,000 appointments and the loss of around $100 million in damages. Experts estimated that all told, the cost of the global disruption caused by WannaCry reached some $4 billion. American and British investigators eventually traced the source of the malware to operatives in North Korea.
WannaCry was a rare and well-publicized episode of a more widespread, subtle, and poorly understood problem: the ease with which malign actors with geopolitical or criminal goals can take advantage of vulnerabilities across the digital world. Most attacks and intrusions remain invisible and consist of a series of steady punches rather than one major blow. Instead of fixating on highly visible and dramatic events, policymakers should focus on reviving the role of democratic institutions in ensuring the safety of the public in cyberspace.
To do that, governments must recognize that the private sector wields outsize power in the digital world. Democratic states have ceded too much ground to corporations. Public authorities are largely at the mercy of private companies; they cannot look under the hoods of the companies that, for instance, supply software to hospitals, electricity networks, or smart devices. Legislatures and city councils are not privy to the security stress tests such systems undergo. This imbalance has given private companies a dominant position that governments could only dream of: government agencies responsible for national security are now often in the awkward position of relying on commercial data to fulfill their own mandates. Governments face a steep learning curve in understanding conflict and risk in the digital domain, but it’s well past time that they take a more concerted approach to taming this lawless realm.
For centuries, states enjoyed a monopoly on the use of force. Thanks to the asymmetric power facilitated by digitization and the proliferation of cyber weapons, that monopoly has slipped out of their grasp. Yes, many democratic countries—including the United States—have developed powerful tools to deploy in cyberspace, setting up sophisticated surveillance systems and launching attacks on adversaries. At the same time, developed countries wrestle with a private sector that exercises disproportionate power in the technological sphere, gobbling up data and taking on some key functions of the state, such as the protection of critical infrastructure.
Private companies both build the architecture of the digital world and largely govern its flows of data. They are often the victims of cyber attacks. But they are complicit in these attacks when they fail to protect databases and lose the personal information of their customers and clients. Worse, some companies are even developing and selling new technologies to adversaries around the world. Authoritarian (and several democratic) governments hire the services of hackers and buy commercially sold systems of digital surveillance and control. For instance, a U.S. company called Sandvine is alleged to have supplied the government of Belarus with the technology it used this past summer to shut down its citizens’ access to much of the Internet during anti-government protests. Non-state actors, such as militias or criminal gangs, can wreak disproportionate havoc through cyber attacks, hurting much more powerful states, companies, and international organizations.
Authorities often have a tough time understanding cyber attacks and identifying their perpetrators. As a result, attackers frequently act with impunity, using clever tactics and benefiting from a legal vacuum: there are few mechanisms that guarantee international cooperation and coordination in discovering and bringing to justice cyber attackers. “False flag” operations—in which actors conceal their identities and try to pin the blame on others—are common in the digital world. An intrusion directed from the other side of the world can be executed in milliseconds, almost invisibly. The speed of digital innovation outstrips the ability of states to prevent cyber attacks, hold perpetrators to account, and pass the necessary laws on encryption standards, data protection, and product liability (to hold manufacturers or sellers responsible for the goods they make or trade).
States are also unable to control private companies whose actions may imperil public safety; indeed, in some cases, a state finds itself dependent on just such a company. Earlier this year, a breach of a database belonging to the facial recognition company Clearview AI revealed that the firm was selling its technology and databases not just to vetted law enforcement agencies but also to a host of private companies. The breach showed how a private company can secretly share information about citizens without their consent and without transparency, as well as how such a company can be susceptible to hostile actors. And yet law enforcement agencies are increasingly reliant on the work of technology firms such as Clearview AI.
Society’s growing reliance on digitally connected devices creates more general vulnerabilities. A canny and willing attacker can exploit a software-powered fridge in a home or a street lined with data-collecting sensors in a smart city, finding multiple entry points to bring down a broader system. It is enough of a challenge for defense departments and intelligence services to man the ramparts and keep a lookout for such sophisticated adversaries. But the frontlines are now ubiquitous thanks to the pervasiveness of digital technology, and so doctors in hospitals, professors in university labs, and human rights activists in repressive countries—all must now contend with cyber threats.
Such civilian targets are not always well prepared for this fight. Public institutions often employ poorly protected digital systems even when they process sensitive information. A clinic, for example, cannot be blamed for hiring an additional surgeon instead of a cybersecurity expert. A public university might choose to invest in computers for students but not acquire the more expensive protections to ensure that those new computer systems are safe. And an election board might decide to modernize electoral processes by installing voting machines and dispensing with paper ballots, without knowing the proper safeguards or having the means to invest in the requisite protections. Such well-intentioned efforts are understandable on their face, but they conspire to make societies vulnerable.
The imbalance between the public and the private sector in democratic countries is obvious in another dangerous arena: the sale of cyber weapons to authoritarian regimes. Few laws limit how companies can trade in digital surveillance, blocking, and intrusion systems. Syria is a troubling case in point. As it wages civil war, the government of Bashar al-Assad has used operations in cyberspace to hit both adversaries abroad and opponents within the country. Hackers belonging to the so-called Syrian Electronic Army (which claimed to be acting independently of the Syrian government) gained visibility around the world for defacing the websites of Western media companies, such as The New York Times and the BBC, and for hacking the website of the U.S. Marine Corps. These brief propaganda victories were far less significant than the government’s digitally enabled attacks on domestic opposition figures and human rights defenders during the peaceful protests of 2011. That year, the Syrian government used sophisticated digital technology to collect communications between dissidents, which it then exploited to incriminate and detain the activists.
That one of the most violent regimes in the world engaged in such repression is not surprising; what is shocking is that European companies helped. The Assad government depended on technology and expertise from AREA, an Italian company. AREA sold technology to Syrian authorities that allowed them to monitor communications across the country, collecting and scanning Facebook posts, Google searches, text messages, and phone calls for key words or connections between particular individuals. The ensuing roundup of dissenting civilians led to torture and deaths.
Syria is not alone in receiving technological support from abroad for the purpose of domestic repression. Over the past few decades, companies based in Western countries have designed, marketed, and sold similar technology to a number of other authoritarian governments, including those of Egypt, Iran, Saudi Arabia, and the United Arab Emirates. When democratic countries fail to curb the sale of aggressive hacking systems by companies within their own borders to illiberal governments, they are undermining the worthy ambitions of their foreign policies. But the problem doesn’t seem to be going away. Some estimates predict that annual global sales of these systems will rise to hundreds of billions of dollars by 2021. China is now aggressively entering this market, too; it already is the global driver in developing and exporting technologies that enable repression, including facial recognition technology and predictive policing systems.
These technologies in the hands of non-state actors are also a concern: such actors can cripple far more powerful states, organizations, and companies through cyber attacks. In 2015, a hack of JPMorgan Chase compromised 83 million accounts; four individuals were eventually arrested. In 2017, “Rasputin,” a hacker who appeared to be operating alone, broke into databases of U.S. universities and government institutions, apparently hoping to sell access to the information. Earlier this year, a 17-year-old from Florida and two other hackers managed to take over 130 prominent Twitter accounts, including those of former U.S. President Barack Obama and former U.S. Vice President Joe Biden, and posted messages that convinced people to send money to a particular Bitcoin account. The hackers could have used that account access for far more sinister goals, including attempting to escalate geopolitical conflict or crash stock markets.
Some individuals with such exceptional skills sell their talents to the highest bidder. Among the most notorious companies hiring hackers is DarkMatter. This cybersecurity company, based in the United Arab Emirates, has hired former intelligence officials from the U.S. National Security Agency and the Israel Defense Forces, creating what amounts to a private intelligence service and blurring the lines of agency between companies and states. Such companies with top-grade skills may attract unsavory clients, including authoritarian regimes and even terrorist groups.
Democratic states have struggled to regulate the digital world and the market for cyber weapons, but some technology companies are beginning to take action. WhatsApp, through its parent company, Facebook, filed a lawsuit last spring against the NSO Group, an Israeli mobile surveillance company. The suit alleges that NSO covertly exploited vulnerability in WhatsApp to illegally extract information from the phones of users. Facebook argues that NSO’s actions were unlawful. NSO is also the target of a lawsuit filed in Israel in 2018 by a Saudi dissident who claims that Saudi authorities used the company’s technology to spy on his communications, including those with Jamal Khashoggi, the journalist who was murdered in Turkey by Saudi operatives that same year. Forty-five countries are thought to be using the same NSO product, including democracies such as Mexico and Spain.
It shouldn’t be left to private companies and courts to determine the legitimacy of products and services that have the potential to compete with state intelligence services. Democratic countries must extend norms and rules to ensure safety in the digital world. Just as nations agreed to international laws governing the conduct of war and nuclear weapons, so, too, must they establish agreements to fend off threats in cyberspace. Perpetrators of cyber attacks have remained unaccountable for too long. Democratic governments especially need to take a number of steps to re-balance the power between states and private companies, which play too large a role in the digital world.
Policymakers should start by clearly identifying which digitized systems are vital for the public interest, public safety, and the functioning of society. Officials must designate relevant systems, such as those for voting, as critical infrastructure, setting a specific set of criteria and regulations for these systems, even for those largely in private hands. Most countries are far behind on this front. It took until January 2017 for the U.S. Department of Homeland Security to designate election infrastructure as critical.
Too often, officials do not have access to information about risks to public services. They should be informed, for instance, about the results of stress tests that assess the resilience to cyber attacks of clinics, polling centers, tax authorities, and other important institutions. Additionally, governments should put in place stringent guidelines for how officials at the local and national level should procure digital systems and liability regimes that would hold private companies to account for the consequences of their products. Policymakers must also be more deliberate about deciding when state functions and vital systems can and cannot be outsourced to private firms. A company such as Clearview AI should not be allowed to simply scrape the Internet to build databases of faces to sell to law enforcement agencies. It becomes harder to ensure that the police will act in accordance with the law when so much power is granted to a poorly audited and monitored private firm such as Clearview AI.
Trade secrets and nondisclosure agreements often prevent information on the functioning of such private technology companies from becoming known to the public. As a result, governments struggle to get a handle on the real threats and risks already out there. Such legal shields for private companies also prevent independent research into the intended and unintended effects of these companies’ products. This inscrutability blocks a well-informed public debate about digitization and security and inhibits evidence-based policy-making. Governments should institute standards and regulations to ensure that private companies provide meaningful access to information.
Everyone knows that those who live in glass houses should not throw stones. But it has nevertheless been tempting for democratic governments to deploy their own covert offensive cyber weapons in an attempt to deter adversaries. Such actions should have clear rules of engagement. Both offensive and defensive actions in cyberspace should be subject to legislative and democratic oversight, even if those oversight sessions have to be confidential.
In recent years, U.S. covert operations have targeted China and Russia since the authorization of a national security presidential memorandum, signed by U.S. President Donald Trump in 2018, that sought to loosen restrictions on the use of digital weapons. Members of Congress complained that the Trump administration never shared the memorandum with Congress. That lack of democratic oversight is troubling. The increase in the use of offensive and defensive cyber-capabilities, even by democratic states that normally act within the rule of law, should not happen without a legitimate mandate and proper independent oversight.
In addition to ensuring that military uses of cyber technology receive sufficient oversight, governments must cut the close ties between the private sector and intelligence agencies. That revolving door encourages the development, production, and sale of digital arms. Governments should rein in the commercial surveillance and hacking market by imposing licensing requirements and restricting exports to adversaries and repressive regimes. Companies should act in line with the universal principles of human rights. Steep fines, criminal liability, or even bans on digital products that have pernicious uses are steps that would immediately have a positive effect. Excluding companies that cater to dictatorships from government contracts should force them to make a choice and prevent adverse flows of information. Surveillance, covert hacking, and data theft should not be considered legitimate commercial services. Governments should additionally put in place rules that stop intelligence officers from serving the nation one day and building military-grade commercial hacking systems the next.
At the same time, governments must exercise greater control over their necessary cooperation with the private sector. Public agencies frequently rely on private companies to protect critical infrastructure or monitor risks in digital systems. When that is the case, authorities need to ensure that clear chains of responsibility and accountability are in place. And government agencies in democracies also need to better coordinate with one another as they evolve to meet the challenges of the digital age. A whole-of-government approach will help identify conflicting objectives and bridge gaps in awareness and responsibility between different parts of the same government.
Democratic societies can do more to make the damage caused by cyber attacks—and the fact that these attacks have real victims—clear to the public, which often perceives these incidents as incomprehensible and launched by faceless hackers in military facilities. That narrative has to change. Cyber attacks have real consequences that reach far beyond defense departments and intelligence services to private houses, nursing homes, college campuses, and doctors’ offices. Demystifying and humanizing the threat should help encourage more people to take cybersecurity and their own use of digital technology more seriously. If governments ensure that companies are more transparent, then the media can scrutinize the conduct of the private sector, which in turn would allow consumers to be better informed. That public engagement should help sustain the necessary political agenda for reform.
Leaders have to muster the requisite political will to update norms, guidelines, regulations, and laws at the international level, because aggressors in cyberspace do not respect national borders. The European Union offers a template of what broader coordination among like-minded countries can look like. Its members have agreed on a number of regulations pertaining to cybersecurity, including data protection and the screening of foreign investment in European technology firms for potential security risks. Member states are in the process of updating their export controls for commercially sold hacking systems. EU member states have also agreed to collectively level sanctions against those found to be responsible for cyber attacks.
In the same spirit, countries around the world need to agree on new norms: What level of cyber attack amounts to an act of war, for example, and what measures would serve as an appropriate response to such an attack? A cyber attack on critical infrastructure that results in real devastation and harm to human life should rightfully be compared to a conventional attack on such infrastructure. It’s time for democratic governments to begin to take seriously the changing face of conflict in the twenty-first century.
Perpetual intrusions and cyber attacks suggest that in the battle between hackers and governments, democratic governments are losing. If they fail to do better, the balance of power will tip even more in favor of harmful actors, private companies, and authoritarian regimes. But if they succeed, then a new raft of democratically mandated measures could tame the lawlessness in cyberspace. That, in turn, would restore confidence that a liberal, rules-based order can prove its relevance in the digital age.