Russian interference in the US presidential election is barely the tip of the cyberwarfare iceberg. American cyber-sabotage of North Korean missiles, North Korea’s attacks on Sony Corporation, Israeli attacks on Iran’s nuclear program — these are all indications that the breadth and depth of cyber threats are far greater than we realize.
Alexander Klimburg, program director of the Hague Center for Strategic Studies and a former fellow of the Belfer Center at Harvard’s Kennedy School, talks to WhoWhatWhy’s Jeff Schechtman about the mounting competition among nations to dominate cyberspace.
Klimburg says that while governments themselves engage in — and are victims of — hacking and other forms of cyberwarfare, they also use such actions to justify their reach for more state control of the Internet. The US, China and Russia may pursue different objectives in their cyber operations, but they seem to agree on one goal: weaponizing information technology in the service of national interest.
Klimburg explains why defenses against hacking have proved so inadequate, the importance of maintaining bottom-up as opposed to top-down, control of the Internet and why we should look at the world’s financial system as a model for how to exercise such control.
In his book, THE DARKENING WEB: The War for Cyberspace, Klimburg reminds us that unless we resist attempts by national governments to take it over, the Internet, rather than bringing us together, may become a dark place that changes the world for the worse.
Click HERE to Download Mp3
Full Text Transcript:
As a service to our readers, we provide transcripts with our podcasts. We try to ensure that these transcripts do not include errors. However, due to resource constraints, we are not always able to proofread them as closely as we would like, and we hope that you will excuse any errors that slipped through.
|Jeff Schechtman:||Welcome to radio WhoWhatWhy. I’m Jeff Schechtman. Companies being hacked, nations and democracies being hacked, privacy under siege. The internet was supposed to change the world, create more freedom, and break down traditional barriers between nations and people. The irony is that it may be having the opposite effect as individuals, nations, and corporations seek to protect themselves and exploit the internet for greater profit. We could easily lose the very things it created. After all, with all due respects to Amazon, it was meant for more than just shopping.|
|So where are we in this battle to protect the internet and what are the real dangers that we face? We’re going to talk about this today with my guest Alexander Klimburg. He’s the program director at The Hague Center for Strategic Studies, he’s a nonresident senior fellow at the Atlantic Council, and an associate and former fellow at the Belfer Center at the Harvard Kennedy School. He’s been an advisor to a number of governments and international organizations on cybersecurity strategy and internet governance and it is my pleasure to welcome Alexander Klimburg here to talk about the war for cyberspace. Alexander Klimburg, thanks so much for joining us.|
|Alexander Klimburg:||Thanks for having me.|
As we look out today at the battles, the challenges that the internet faces, talk a little bit about what you see as the thing that we need to most focus on right now.
|My main concern is that we don’t absolutely appreciate the internet that we have today and that it is actually a great invention, maybe on the level of the invention of the wheel, that has basically empowered our societies in new ways, given us new freedoms and new productivity. But that is only possible if the internet, effectively, remains free, free from the control of special interest. The internet is effectively managed by a galaxy of different actors, by civil society, the private sector, and government.|
|And government is, by far, the least important actor. It can blow things up, it can also spy on things, so it can’t really build stuff in cyberspace. But they do want to get involved in this debate and they want to get involved in it strongly. Most importantly, governments outside of the US and the western block of like-minded democracies think that the internet should be run by states rather than as it is currently, which is by this galaxy of different actors with civil society in the lead. They want states to be the final decider on information in the internet, and we have to understand what that means. The final decider of information would mean the final word on everything regarding our lives, from the way we educate our children, to the media we consume, to the way we vote.|
|So, we have to be aware that the internet that we have right now, which is effectively free internet that just facilitates our daily lives and doesn’t try to direct in a specific direction, could be changed. It’s not something that is likely to happen, but it’s possible to happen and since we were concerned with nuclear holocaust for decades on end, I think it’s also valid to be concerned of the internet becoming a much darker place as well.|
|Jeff Schechtman:||There’s also an irony in all of this that’s a little like the fireman who’s also an arsonist. The idea that it is these governments, the US government, the Russian government, the Chinese government, that are creating such havoc within the framework of the internet, that it also becomes the reason why they want to do things to limit its freedom.|
|Alexander Klimburg:||Absolutely. I think the example of the fireman and the arsonist is a very good one. Effectively, I am concerned that we sometimes look at cyber attacks in the West as being only technical while in the East, and actually also about hackers, cyber attacks are usually viewed as being primarily a human issue. So, when we think about cyber attacks, we think what kind of data do they want to steal, what kind of data do they want to destroy, what kind of data do they want to simply spy on. And, in point of fact, many other governments might not be interested in the data that they are stealing or destroying, but they’re more interested in the narrative they’re trying to influence.|
|And if you even look at the recent ransomware attacks that we’ve seen, for instance, WannaCry and NotPetya, there wasn’t really an attempt to monetize the data they were stealing, well, basically encrypting. The real intent, especially as far as the most recent cyber attack NotPetya is concerned, was simply destruction and it wasn’t destruction simply to play havoc for the fun of it, it was, I think, to influence the narrative. The narrative is to get governments to do something in cyberspace and we have to be aware that doing something in cyberspace may well involve effectively weakening the current model of the internet that we cherish today, which is led not by governments, but by the civil society in the private sector.|
|Jeff Schechtman:||Is there a fundamental difference in the kind of things that the US, and the Russians, and the Chinese principally are doing with respect to these areas in cyberspace?|
|Alexander Klimburg:||Well, it depends whom you ask. Normally one would say that, particularly the US, have a very technical view of cyber operations. They were developed primarily to support, for instance, military operations to help penetrate an air defense system, for instance, and then drop bombs in a conventional way. But also more other similar missions like taking down a critical infrastructure grid. The way the Russians and the Chinese have always viewed cyber operations is that it’s all about information, information control, information dominance, and they accuse the US of using the internet, for instance, to undermine their rule by supporting dissent, by supporting opposition to their governments, and being involved in their internal affairs.|
|Now, this is their view that they’ve stipulated very often on the base of no evidence other than they think civil society organizations are always paid foreign agents, but effectively this has led them, justified or not, down a similar path where they engage in information warfare attacks. Their concept is simply that information should be treated as a weapon. And that is something we should be deeply concerned with because information being treated as a weapon means that effectively the New York Times, Washington Post, NPR, there are also social media posts on Facebook and everywhere else starts being treated as a weapon of war. That’s a dialogue we can’t possibly get involved in under any circumstances.|
|The US approach to viewing cyber operations as a technical issue is correct and a valid one. We have to, however, at the same time, be aware that the other side is consistently playing a different game. And that game is to further the narrative of information warfare to get us talking about information per se. The bottom line is that western governments, foremost US, have decided a long time ago the internet was too important and too big to simply be controlled by governments. They have to be controlled by everyone, like the global seas are not controlled by any government in particular. That’s the way we have to keep it, otherwise it might end up going in a very dark direction.|
|Jeff Schechtman:||Do we need to take a giant leap forward in that we need to look for a different kind of structure for the internet as opposed to the one that exists now from a technological perspective?|
|Alexander Klimburg:||I don’t think great leaps forward are the way to go because, in particular, it always depends on what direction that great leap is happening and it is very often that one special interest is going to define that direction. I think that the current way the internet works is fundamentally the way it should continue to work, but what we need to do is work and tinker at the edges. We need to effectively fix a lot of the things that are clearly broken like, for instance, not mandating better security in government agencies, but also in the private sector. It’s completely crazy how easy it is to conduct hacks. If a 10 year old or a 12 year old can do these hacks, then it’s not really the hacker that’s at fault, it’s quite clearly the sender. That has to also be taken into consideration.|
|But we have to keep in mind that defense is done incredibly poorly everywhere. And that there are many things that can be done fairly easily to improve one’s defense not every 10, 12, 13 year old hacker can get in. I think that should be our first step. When we get that far, then we can start talking about how do we agree on rules of the road for states to conduct cyber operations. What is legitimate to blow up and what’s not legitimate to blow up? That’s a discussion that we need to have, but that needs to happen in the context of international law and the normal conduct of warfare and interstate diplomacy.|
|What it can’t involve is how the internet is run as an infrastructure. As internet being run as infrastructure is independent of the content on the internet. The people who run the infrastructure don’t worry if something is good or not, they worry about the pipes, they worry about the roads. What the roads are used for is a different issue. We can’t put those things all in the same bucket. If we allow that to all fall in the same bucket, we’re allowing one single group of actors, in this case government, to control the entire narrative. It’s not something I think the US government wants, or in particular any western government wants, but it’s being pushed there slowly by constant revelations of cyber attacks against which it seems to be completely powerless in which the public is increasingly demanding a response to.|
|That response, however, is going to be simply one issue, take more responsibility for your own defense. And force legislation where necessary to force companies to take care of their data better. That’s the steps we have to take. Looking at restructuring the internet is not, in my mind, the right way to go.|
|Jeff Schechtman:||Why have the defenses been so bad, so weak, historically?|
|Alexander Klimburg:||Historically, it’s one of the arguments that are often advanced is that the internet was not intended to be what it is right now. I think that’s a fair argument, but it’s not necessarily that important because a lot of things that can be done to make the internet safer, simply requires us taking a little bit of effort. We have not taken that effort. When I mean ‘us’, I mean absolutely everyone from the home user who should simply be clear on the fact that we need a little bit better password than like your first name or password or something similar, but all the way up through the highest levels of government that have been, also in the US, incredibly negligent in setting standards for cyber security.|
|I think in part it’s because we were driven very often by this narrative of like, “Well, what does it cost? It only costs us money, it doesn’t bring us any money. Therefore, why should we do it?” They haven’t appreciated the dangers of what happens when things go wrong. This is part of the issue. The technical community of which I am at least nominally part of, the technical community has spent a lot of time not talking about the dangers of cyberspace because they don’t like to talk about threats, they don’t talk about fear, they don’t want to talk about uncertainty, and they don’t want to talk about doubt. They want to talk about hard data. But we don’t have hard data in cyberspace. That’s why I think it’s important that we talk about the worst possible outcomes, the nightmares, the things that can go wrong.|
|Because when talking about what really can go wrong in cyberspace, we can motivate not only the C-level of corporations, but also our political decision makers to help us formulate the response mechanisms that we need. And that is really fundamentally just taking basic security seriously at the most fundamental level and then at interstate level having an honest and open discussion about military capabilities in cyberspace.|
|Jeff Schechtman:||Coming back to our point before though, part of the problem with that, though, in creating those defenses and addressing those issues is that there are too many stakeholders that seem to have an interest in corrupting the idea of a free internet.|
|Alexander Klimburg:||Absolutely. The internet as it is right now is a bottom up construct. It was financed by the US government, but it was built by academics, hobbyists, and later, the private sector. However, other internets were attempted, the French built an internet called Minitel, around for many years, and only recently closed down completely. Russia was trying to build an internet from early as 1950s even before the US started. Their versions were top down. Their idea was to have a centralized control network, to have all the power in the center. Internet we have right now has all the power at the edges of the user. This is why, for instance, net neutrality is such a hot topic issue. And the internet grows this way, bottom up.|
|That’s why it’s so important to understand that it has to be run by this galaxy of different actors. There is, just like the world’s financial system, not one single actor that can actually control it. We wouldn’t want that to be the case anyway. But similarly, just like not everybody needs to know everything about the world financial system, you don’t need to know everything about international bond markets as an average user. You do want to know what your interest rate on your mortgage is going to be and if your economy’s going to collapse. This is why I think everybody needs to be a little bit more aware of what’s happening in cyberspace and how some governments simply have a very different internet in mind than the internet we have today.|
|Jeff Schechtman:||Where are the resistance points today to this multi stakeholder approach? Where is the pushback to that coming from today?|
|Alexander Klimburg:||In the last 18, 20 years, it’s been fairly consistently from Russia and China in the lead with a bunch of other countries that sometimes support it more openly or not. These countries I call the cyber sovereignty countries because they are interested in establishing national sovereignty over what they call their cyberspace, their internet. They want to be able to control everything that happens in it. When I mean control, they mean to really control all information that’s consumed by their citizens. That, of course, is a pretty frightening prospect for western democracies. Since we don’t want to have that not only in our own countries, but globally, we have generally speaking pushed back with support for the multi stakeholder model.|
|The problem is, the multi stakeholder model is built around the civil society, and the private sector, and the government all working together to basically manage different parts of the internet. But government has always had the weakest role. They can blow things up, they can listen in on things, but they can’t really build very much in cyberspace. Now that’s why cyberspace today is run primarily by the civil society and the private sector and governments only have a very small role. Countries like Russia and China have been pushing back on that. They want to have a multi-lateral rather than a multi stakeholder solution to the issue and preferably have critical parts of the internet such as like the domain name service, the telephone book of the internet, under some type of centralized governmental control.|
|If that happens, then we’re potentially entering a very dangerous area where information effectively can be, the information networks themselves, the roads if you will, the c- lanes of cyberspace, can be also connected to law enforcement query. So that a government can demand, for instance, a translated, Chinese translated version, of the New York Times be taken down because they don’t want deal with it or that a political dissident website be taken down because they don’t want to hear it. And that can be taken down globally.|
|This is the image of internet that these parties been pushing for now 15 to 20 years and their target has been the current civil society body, in this case, ICANN who manages this part of the internet. The US government has consistently supported the approach that governments, no government, should control the internet and therefore has been slowly reducing its involvement in the running of the internet, which was always fairly small and now is nonexistent. That was a very important step to take because it basically is a firewall from the claims of other governments such as Russia and China that there should be intergovernmental controlled internet rather than a multi stakeholder and non-stakeholder run internet as it is today.|
|Jeff Schechtman:||What is the model for that? If we were to look at nongovernmental institutions that might be the model for this multi stakeholder intergovernmental approach, where should we look?|
|Alexander Klimburg:||Well, the CNN reporter once said is that your favorite cybernology will always tell you something about yourself. So you can talk about cyber as, for instance, being like environmental change for instance or be like public health. The different models that you can positively choose, I prefer to think of the positive model, Sir Joseph Nye, an international relations scholar at Harvard, for instance, talks about cyberspace as being run by a so-called regime complex of many different types of regimes, institutions, actors that work loosely together. They work loosely together in a way that, for instance, the financial system does. The financial system globally isn’t controlled by a single actor, it’s controlled by a multitude of actors that balance each other out in various ways.|
|There’s no single point of failure also if something goes wrong. There are critical points of failure that can cause a lot of damage, but not one. This is one of the reasons why the internet is so resilient. You can talk, for instance, one of the things that Chancellor Merkel of Germany brought into play only three weeks ago was to see cyberspace as being akin to the world financial system. I think that’s one good analogy we might want to explore further.|
|Jeff Schechtman:||Why is it that some nations as state actors seem to be so much better at hacking at this point?|
|Alexander Klimburg:||It’s very hard to say because if you’re relying on public information, you won’t really know about the most proficient actors. You obviously won’t see what they’re doing. That’s part of the problem is that we have very little insight to what the Chinese and Russian cyber defenders are seeing on their end, what kind of US cyber attacks that they’re experiencing because what we do know for sure is the US cyber attacks are a totally different magnitude than Russian, in particular Chinese cyber attacks, China being a much less proficient actor than Russia here.|
|All we know is that there are maybe three dozen countries out there that are actively trying to acquire offensive cyber capabilities and those capabilities are massively different amongst each other. So there are a couple of countries at the top that are very, very, very proficient and there’s a whole bunch of countries that still can cause significant damage if it came down to it. The question is what those capabilities are used for. In the US case, we can presume that most of these capabilities were used for intelligence gathering purposes. Now potentially, those could be used in a war fighting purpose, we haven’t seen those employed yet, although we have indications of what it would look like, in particular, there was a leaked war plan for what would be done to Iran in case of conflict, for instance.|
|However, the way Russia, for instance, approaches cyber operations, and to lesser extent China, is clearly different. They put the onus of cyber operations not only on the ability to damage, destroy, or spy on data, but also simply to control or influence narratives. So you can have a situation where a hack occurs, for instance, in 2015 against a French TV channel that turns out to be about something else entirely. In the case of the 2015 hack against the French TV channel, that TV station, which actually ran five or six channels, went down completely, was effectively an attack on a critical infrastructure. The perpetrators were supposedly ISIS. So ISIS, the Islamic state, basically put up a claim, or people who claimed to be ISIS, put up a claim saying it was them.|
|The French government later determined that it was actually parts of the Russian government that were behind the attack and their concern was, it was done particularly for one purpose and that was to introduce the narrative of cyber terrorism. Because we were talking about cyber terrorism for months afterwards, right? Wow, we finally saw a cyber terrorist attack. Little did we know, it was not a cyber terrorist attack, it was a government induced attempt to make us talk about terrorism. This is the thing that we have to be aware of is that when we see a cyber attack, it might have a completely different purpose than we actually thought it was. That purpose might be to influence our decision making, our thinking, in a certain direction.|
|Jeff Schechtman:||Alexander Klimburg, his book is The Darkening Web: The War for Cyberspace. Alexander, I thank you so much for spending time with us today.|
|Alexander Klimburg:||Thanks for your time.|
|Jeff Schechtman:||Thank you.|
|Thank you for listening and joining us here on radio WhoWhatWhy. I hope you join us next week for another radio WhoWhatWhy podcast. I’m Jeff Schechtman. If you like this podcast, please feel free to share and help others find it by rating and reviewing it on iTunes. You can also support this podcast and all the work we do by going to WhoWhatWhy.org/donate.|
Related front page panorama photo credit: Adapted by WhoWhatWhy from cyber ghost (Alejandro Juárez / Flickr – CC BY-NC-SA 2.0).