Modern field guide to security and privacy

State Department Cyber Coordinator: We don’t want a cyberarms treaty

At a Passcode event on Thursday, State Department Cyber Coordinator Chris Painter said the US is still grappling with basic definitions in the digital realm – such as, what constitutes a cyberweapon – complicating the idea of a formal accord to control their use.

Michael Bonfigli/The Christian Science Monitor
State Department Cyber Coordinator Chris Painter speaks at a Passcode event on October 1, 2015.

The US will not be entering into a cyberarms accord with China, said the State Department’s Coordinator for Cyber Issues, insisting that recent news reports of such negotiations were “erroneous.”

“I don’t think it makes sense to have a cyberarms treaty,” Chris Painter told an audience at an event Thursday on America’s strategy in cyberspace hosted by The Christian Science Monitor’s Passcode. 

Ahead of Chinese President Xi Jinping’s visit to Washington, The New York Times reported that the US and China were negotiating what could become the first arms control accord of the digital realm – sparking questions from lawmakers on Capitol Hill in recent weeks about whether the US should seek an international agreement to control the use of cyberweapons.

But reports of negotiations on this front, Mr. Painter said, were “never true.”

In fact, he continued, defining what constitutes a weapon in cyberspace makes the idea of a formal treaty or agreement extremely complex. “I don’t know what a cyberarm is,” Painter said. “There’s a lot of dual-use technology.” A piece of code, he continued, “could be used for malicious purposes, research purposes, defense purposes.… How do you actually control that piece of code?”

While President Xi’s visit last week did not herald a cyberarms accord, Washington and Beijing did announce a high-level agreement stipulating that neither country would use cyberespionage to steal – or support the theft of – intellectual property.

This agreement with China, which the US blames for stealing American trade secrets for the benefit of its private sector, is “very significant,” Painter said.

“Never before had we had a commitment from the Chinese government that that was something impermissible and shouldn’t be done,” Painter said.

The agreement was also a head-scratcher for a number of US analysts, who say they were surprised that China would agree to such restrictions.

Martin Libicki, senior management scientist at RAND Corp., wonders: Why would China – which views intellectual espionage as a key economic strategy – agree to such measures limiting its behavior? One way to explain it, Mr. Libicki said at the Passcode event, is that “they have no intention of abiding by these things.”

What’s more, China’s official position has long been to deny it carries out economic espionage, Libicki said. “So for the Chinese president to come in and say, ‘We’re not going to do this’ isn’t much of a surprise, because they deny doing anything.”

Outside the theft of intellectual property, US officials are still grappling with what, precisely, constitutes a significant cyberattack. “We don’t see cyberwarfare often,” Painter noted. “You could argue that we haven’t seen it at all.”

The Pentagon, for its part, is reluctant to describe what constitutes an act of cyberwar – versus an act of cyberconflict or espionage. At the Passcode event, Deputy Assistant Secretary of Defense for Cyber Policy Aaron Hughes admitted the line between an act of war and a serious act of cybervandalism is “squishy.”

When considering whether the military should get involved to defend the country from a true cyberattack, the threshold might include loss of life, destruction of property, or significant economic consequences, Mr. Hughes said. For the time being, though, acts of cyberwar and possibly military responses “will be evaluated on a case by case basis as decided by the president.”

But companies should not take matters into their own hands to “hack back” even if it means retrieving stolen information, since there is a risk of escalating the conflict, Hughes said. “While I recognize the threat private companies are under, they should leverage law enforcement and, in some cases, the support the Department of Homeland Security provides,” he said. “If a private company were to [hack back] – even if it’s just disrupting the data that has already been stolen – there’s the potential for a misunderstanding of what that is by a foreign entity or a foreign government, which further escalates what’s happening. That would make it difficult for the Department of Defense.”

Yet the prospect of an attack that could damage key critical US infrastructure – destructive cyberattacks that countries including China, for example, likely have the means to carry out  – is less likely than the headlines might suggest, experts say.

There have been relatively few actual cyberattacks, RAND’s Libicki said.

“We’ve seen a number of attacks that have basically been used to trash computers,” Libicki said. There have been two cyberattacks used to “break something,” he added: Stuxnet, which targeted Iran’s nuclear facilities, and an attack on a German blast furnace reported late last year. None of these attacks, however, created costs that exceeded $100 million, he estimated – whereas full-scale damage that could be caused by true cyberwarfare, on the other hand, could run “easily” into the billions of dollars.

To call what is taking place in the cyber realm right now “cyberwar,” Libicki said, is “at the very least, grossly premature.”

Watch the full video of the Passcode event. 

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to State Department Cyber Coordinator: We don’t want a cyberarms treaty
Read this article in
https://www.csmonitor.com/World/Passcode/2015/1002/State-Department-Cyber-Coordinator-We-don-t-want-a-cyberarms-treaty
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe