Jayant Gandhi SFS 13 Thesis Advisor: Professor Matthew Kroenig

Jayant Gandhi SFS ‘13 Thesis Advisor: Professor Matthew Kroenig STIA Honors Thesis Proposal 2012-2013

The Internet has been around for more than two decades now and has easily become an important part of our daily lives. What is most amazing about the Internet is that its growth does not seem to slow down. People are constantly trying to come up with new ways to use the

Internet to improve our lives and those of others across the world. Unfortunately, as is the case with most technology, there is a dark side to the Internet as well.

As the Internet becomes ever more integrated into our daily lives and our dependency on it grows, we become more vulnerable to those who would use the Internet for nefarious purposes. Private enterprises, states, and even individuals have had to deal with these threats since they began to use the Internet. Only recently has the state of affairs become so severe that cyber security has been listed as a top-priority for individual states and the international community.

The recent attacks on Estonia and Georgia were perhaps the most rousing examples for the international community. They demonstrated two different ways in which cyber attacks could be used. In the case of Georgia, the cyber attacks were used as a prelude to invasion whereas in

Estonia they were (most likely) the result of activist patriot hackers protesting the removal of a war memorial. The threat of disrupting the communications and economy of a nation was proven to be very real. These attacks were just the most public. There are allegations against China for using information warfare to steal trade secrets from American companies, revealing yet another danger of cyberspace.

1 This realization has led to an acceleration of the cyber arms race as states quickly seek to gather as many experts as they can in order to increase their capabilities. Each state has a desire to increase their own cyber security by augmenting their defensive and offensive capabilities.

The problem is that in information warfare it is much easier to be on the offensive. If left unchecked, the cyber arms race could spin out of control until a major attack was inevitable.

Since cyberspace has no single governing body, the question of how to deal with cyber threats has fallen to individual states and companies. So how can the international community as a whole handle cyberspace? Can diplomacy create a more secure internet?

The idea of having the international community deal with a newly weaponized technology that can inflict massive damage to entire states is not new. When nuclear weapons first appeared there was much debate over how and when they should be used. It was only after years of learning that a relatively stable equilibrium was reached and a global nuclear arms regime was established.

If granted a STIA Honors Thesis I would like to research whether or not the diplomatic policies and techniques that led to the modern non-proliferation regime for nuclear weapons could be applied to the cyber arms race successfully and how will smaller states, which suddenly have this capability within their reach, be affected by this in their foreign policies. In particular, how can states build trust with each other over cyber issues to achieve cyber non-proliferation when attribution is so difficult?

But can such a comparison be made? I believe so. Cyber weapons are a newly weaponized technology that has yet to be fit into any firm norms similar to how nuclear weapons were when they first appeared. Both of which were built up by opposing sides out of fear that

2 their opposition would overtake them. The first steps towards a stable regime involved the building of trust between states. This need for trust is one of the primary connections.

While the barrier to entry in the cyber arms race is much lower than they nuclear arms race, it is still something that requires the significant resources of a state with a stable economy.

Due to the increased size and scope of the Internet and its related security it is much more difficult for small individual hacker collectives to inflict any large scale damage. This effectively limits the realm of true information warfare to states (and potentially state-backed non-state actors). The cyber arms race may not be limited to the select number of states the nuclear arms race was, but it still deals with the same type of players.

There is also the unique relationship between the United States and Russia throughout both of these issues. As the two world superpowers during the nuclear arms race, it was clear that their diplomatic relationship over nuclear issues would be interesting and strained at times.

However, since the fall of the Soviet Union, Russia has not been considered to have the same superpower status as the US, but that does not mean Russia’s role has been eliminated.

From very early on Russia has been pushing for the United Nations to pass international regulations on the use of the Internet in the name of security. The US, on the other hand, has been surprisingly sluggish to offer or even support any such proposal. The emergence of the US and Russia on opposite sides of the issue is an interesting parallel to the days of nuclear diplomacy, but it is the fact that diplomacy is being sought to foment cooperation and limit the use of cyber weapons that shows the most compelling similarity.1

1 See for more details: “Annex to the letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General: International code of conduct for information security” ; United Nations – General Assembly; 14 September 2011; http://blog.internetgovernance.org/pdf/UN-infosec-code.pdf

3 I realize that there are a number of differences between cyber and nuclear weapons as well. For one, nuclear weapons are only designed to destroy, while cyber weapons can also be used to steal information. Cyber attacks are a lot harder to attribute than a nuclear attack. There is also a discrepancy between the level and type of damage caused by each. Most importantly, it is more difficult to design and construct a viable nuclear weapon than it is to create a cyber weapon.

In an article for Strategic Studies Quarterly, Harvard Professor Joseph Nye makes a compelling argument for the validity of the comparison in spite of the differences. The basic idea that he presents is that even though there are dramatic differences between the two technologies

(even the smallest nuclear detonation is catastrophic, while cyber attacks can be small and unnoticeable for years), they have followed a similar path in the minds of policy makers.

Both experienced very rapid changes in perception due to constantly changing technological advances. In the infancy of both arms races it was believed that the weapons would be scarce (it was believed that fissile material was very scarce and creators of the early Internet did not envision the multitude of users and mass commercialization of the Internet). He also mentions the similarities between the Atomic Energy Agency and Cyber Command (an offshoot of Strategic Air Command) and how these agencies highlight the relationship between civilian and military leadership when developing strategies. However, the most important similarities he outlines are those in the international reaction to both and how they created an environment where trust was scarce.2

Nye argues that the cyber arms race can and will most likely develop in a similar manner to the nuclear arms race and therefore states should look to the examples of the past for guidance.

2 “Nuclear Lessons for Cyber Security”; Joseph S. Nye Jr.; Strategic Studies Quarterly Vol. 5, No. 4; Winter 2011; http://www.au.af.mil/au/ssq/2011/winter/winter11.pdf

4 Nye’s work is a very good starting point and justification for my research. He himself cautions against relying too much historical analogies, but I believe that even analysis of the differences between the nuclear and cyber diplomacy would yield important insights.

Since this is a conceptually focused paper, most of the burden will fall onto my abilities of analysis. I expect a good portion of my research to come from secondary sources such as scholarly papers addressing related issues. However, I do intend to make good use of primary sources given that the field of “cyber diplomacy” is relatively new. My research strategy can be divided into three major themes: the historical perspective, the technical perspective, and the international cooperation perspective.

The historical perspective will focus on justifying the validity of the comparison between nuclear and cyber issues and analyzing what diplomatic tactics were successful (or were not) in moving us towards the current state of nuclear non-proliferation.3 Research under this theme will consist heavily of historical documents on the evolution of nuclear diplomacy. I also plan to research more thoroughly the early history of cyberspace (specifically after the introduction of the World Wide Web in the early 1990s since this marked its arrival into mass use) in order to understand the developmental similarities and differences between the two. Examples of historical documents I intend to use are treaties, international resolutions/declarations, legal texts on the international law surrounding these issues, and historical documentation of major events relating to these fields (e.g. the Cuban Missile Crisis, Stuxnet, the Estonian DDoS attacks).

3 I feel I should add at this point that while I am setting the current state of the non-proliferation regime to be the goal of the cyber arms race I recognize that it is not perfect. It is merely meant to be an example of relative success in the face of a very difficult scenario. It is possible that my research may lead me to conclude that the cyber non- proliferation regime should look very different from the nuclear regime. However, the point of the paper is not to show how to make the cyber arms race look like the nuclear arms race, but rather to see if the lessons learned from the past can help us achieve some semblance of equilibrium sooner.

5 The technical perspective seeks to illuminate the finer points of the technical realities of cyber security in order to better understand the diplomatic consequences of certain actions. There may be a small need to research some technical aspects of nuclear weapons, but since the focus of the paper is on cyber this would only serve as ancillary information for a greater point. It is of the utmost important for me to be able to talk confidently about the technical facets of information warfare and to be able to explain them to non-experts (I plan on giving an overview of some basic principles of cyberspace such as the TCP/IP model and its role). While I am fairly proficient in my knowledge of information technology (I have taken several courses on the subject and it has been a general interest of mine outside of the academic setting as well), I am aware that it will be necessary to stay as up to date as possible on the most current information security (infosec) strategies and especially the most current attribution methods.

I am positive that the issue of attribution will be a major point of discussion in my paper.

This means that I will need to be able to speak to both the technical hurdles that impede attribution and the implications in a diplomatic situation. My research for this theme will rely heavily on technical documents outlining infosec methods, attribution techniques, and even the latest offensive tools. There is a lot of literature on these topics online; the task will be to sort through all this information to find the most relevant pieces. I also plan to make good use of my former professors with expertise in the area who could advise me on where to look for information.

The third research theme, the international cooperation perspective, will look towards more current events in cyber diplomacy in order to ground the paper in the diplomatic realities.

For example, it will be crucial to examine the relationship between Russia and the US on these issues as well as to look at the competing statements on infosec from different international

6 bodies (such as the difference between the EU’s initiative on “Critical Information Infrastructure

Protection” and the Russian-led proposal for an “International code of conduct for information security”).45 The role of small states will be important in this theme and will require me to research a few examples of small states’ diplomatic actions and concerns in infosec (Eastern

European states may prove the best examples seeing as they seem to suffer many attacks). This theme will also focus on the pitfalls of the current nuclear regime in order to see if these can be avoided in the cyber realm.6 I intend to focus my research on international declarations/resolutions, the current cyber-policies of different states and international bodies, legal texts concerning cyber and nuclear issues, news articles, and scholarly papers written on related topics.7

I am fairly confident about the accessibility of the documents required for my research; most are kept in the records of major organizations and are open to the public. There may be a need to request certain documents from publishers or their authors if they are not readily available, but I do not foresee this to be a major impediment to my research. As mentioned earlier, the major burden falls to my abilities of analysis, which I am confident in.

4 “Annex to the letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General: International code of conduct for information security” ; United Nations – General Assembly; 14 September 2011; http://blog.internetgovernance.org/pdf/UN-infosec-code.pdf

5 “Critical Information Infrastructure Protection”; EU Commission on Information Security ; March 31, 2011 ; http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm

6 One pitfall of relevance to cyber that comes to mind is the struggles the nuclear regime has had with dealing with the dual purpose of nuclear technologies. It is a difficult balance to maintain between allowing civilian use of a technology and ensuring that the same technology is not weaponized. This balance is intensified by the open nature of the Internet.

7 There is some overlap here between the first and second research themes. The separation here is more to keep my research better more organized and easier to analyze.

7 In my analysis I will need to be sure to have a clear measure of success of a diplomatic policy and to keep a clear distinction between comparing and equating the two arms races.

Cooperation and trust will be the two defining factors of the former. I can measure these through analysis of language being used and level of the preference to talk first instead of acting. The latter requires a proficient understanding of the differences between the cyber and nuclear realms; an understanding that my research should aid tremendously. Analysis has always been a strength of mine and I believe my skills to be sufficient for the proposed project.

Professor Matthew Kroenig has agreed to be my Thesis Advisor for this project. His expertise in nuclear security and foreign affairs will be invaluable in my analysis of the effectiveness of nuclear diplomacy as relates to cyber. He has also expressed an interest in examining whether or not the diplomatic strategies used in nuclear non-proliferation diplomacy can be applied to the cyber arms race.

I believe this project to be perfectly suitable for the one year timeframe. I am not proposing to come up with a new diplomatic strategy, but rather seeing if an existing one can be applied to this situation (a much more manageable task). Research collection should not be too difficult given that most of the information I need is in the public domain. This is also a question that I have already spent a lot of time thinking about and researching in my spare time. I have used every opportunity available to me in my courses to do research on both nuclear and cyber issues, giving me a solid foundation for this undertaking.8

Above all I would like to emphasize my passion for this topic. I would be ecstatic to be given the opportunity to write an STIA Honors Thesis about these issues. There is still so much

8 Of particular use to me will be my course on Information Warfare I am currently enrolled in which has afforded me the opportunity to meet many experts in the Infosec field and establish a relationship with Professor Matthew Devost.

8 to learn about how to deal with cyber security on the international stage and recent events are showing us how important it is that we learn soon. It would be an honor to contribute even the tiniest bit of knowledge to this field in order to move us towards a more stable future. I believe the Internet is one of the greatest assets to human development (socially, intellectually, and culturally) and that is why it is of the utmost importance that we understand how to protect and use it properly.