Tech & Policy Initiative, Working Paper Series 2 It is with great pleasure that I invite you to read this second volume of Columbia SIPA’s Tech & Policy Initiative’s Working Paper Series. Building on the insights of the first volume, the second volume features working papers produced by SIPA-supported expert and next generation scholars who are engaging critical areas related to the impact of digital technology on society and institutions. The papers are multi-disciplinary and forward-looking, engaging complex subjects including the critical areas of Internet and data governance, the dynamics of cyber conflict and cyber sovereignty, how digital technology has impacted traditional economic sectors and business models, or other areas. This academic work was undertaken with vital support of the Carnegie Corporation of New York as part of SIPA’s Tech & Policy Initiative, an ambitious effort to explore the digital world and SIPA’s core fields of study. Since its inception, the Tech and Policy Initiative has sought to bridge the gap between policymakers, academics and practitioners in cybersecurity, internet governance and the digital economy through convening, research, training and other activities. The Tech & Policy Initiative draws on many disciplines and talented researchers within SIPA, in other parts of Columbia University, and outside entities to develop insights that will translate into better and more effective policies, and to inform government policies and private sector actions. This volume also includes papers prepared for SIPA’s 2017 Global Digital Futures Policy Forum, an annual conference that brought together more than 100 scholars, private sector leaders, legal experts, entrepreneurs, technologists, and others to discuss the challenges of internet fragmentation. It also features papers prepared for the 2017 State of the Field of Cyber Conflict, an annual conference convening academics and practitioners to advance discussion of new developments in cybersecurity, evolving theory alongside operational and practical concerns. We hope you will find these papers insightful and an illustration of the many opportunities and challenges associated with tackling this complex and ever-evolving field. Merit E. Janow Dean, School of International and Public Affairs Professor of Practice, International Economic Law and International Affairs TABLE OF CONTENTS Section 1: Next Generation Cyber Fellows Sponsored, by Carnegie 1 Defense Divinations: The Design of International Contracts Under Uncertainty About Military Technology Change 2-18 by Justin Key Canfil “No More Free Bugs”: The History, Organization and Implications of the Market for Software Vulnerabilities 19-40 by Ryan Ellis Can Laws Deter Cyber Attacks? 41-57 by Nadiya Kostyuk Blind Spots – Tracking targeted Threats to Civil Society in Reporting, by the Infosec Industry 58-90 by Lennart Maschmeyer Data Flows & National Security: A Conceptual Framework to Assess Restrictions on Data Flows under GATS Security Exception 91-122 by Martina Ferracane Toward a ‘Digital Silk Road’ Strategy? Chinese State-Firm Coordination and Technology Policy Developments in Southeast Asia 123-143 by Shazeda Ahmed Upstream Bundling and Leverage of Market Power 144-162 by Greg Taylor and Alexandre de Cornière Incorporating Cyber-Physical Systems in the Global Cyber Regime Complex 163-185 by Mark Raymond and Laura DeNardis How Internet Infrastructure Emerges in the Global South: Sociotechnical Aspects of an Internet Exchange Point 186-201 by Fernanda Rosa Section 2: Cyber Conflict 202 Cyber Conflict History 203-212 by Max Smeets and Jason Healey Tactical and Operational Dimensions of Cyber Conflict 213-224 by Trey Herr and Roberta Stempfley International Security and the Strategic Dynamics of Cyber Conflict 225-245 by Melissa Griffith and Adam Segal Exploring the Dimensions of Intelligence in Cyber Conflict 246-252 by Michael Warner and Steven Loleski Economic Dimensions of Cyber Conflict 253-260 by Chris Demchak and Benjamin Schechter The International Law of Cyber Conflict 261-276 by Justin Key Canfil Working Paper: Cyber Conflict and Democratic Institutions 277-284 by Sean Kanuck Normative Restraints on Cyber Conflict 285-292 by Joseph Nye Section 3: Digital Economy 293 Digital Trade, E-Commerce, the WTO and Regional Frameworks 294-302 by Dean Merit Janow and Petros Mavroidis Trade Rules for the Digital Economy: Chartering New Waters at the WTO 303 by Neeraj RS The Internet of Things: Both Goods and Services 304-319 by Anupam Chander Trade Commitments and Data Flows: The National Security Wildcard 320 by Norman Zhang Learning about Digital Trade: Privacy and e-Commerce in CETA and TPP 321 by Robert Wolfe Trade Regulation, and Digital Trade 322-328 by Petros Mavroidis E-commerce in South Korean FTAs: Policy Priorities and Provisional Inconsistencies 329 by Evan Kim Framing Conversation: What Would Internet Fragmentation Mean for the Digital Economy? 330-339 by William Drake The Fragmentation Mismatch: Deficiency of Dealing with Fragmentation through Trade Policy 340-347 by Hosuk Lee-Makiyama Section 4: Internet Governance 348 The Future of Global Cyber Trust: Fragmentation v. Universality Tradeoffs 349-355 by Laura DeNardis Doomed to Fragment? Addressing International Security Challenges While Avoiding Internet Fragmentation 356-360 by Hugo Zylberberg and Nikolas Ott The Rising Geopolitics of Internet Governance: Cyber Sovereignty v. Distributed Governance 361-381 by Laura DeNardis, Gordon Goldstein and David Gross ͳǣ ǡ Page 2 Defense Divinations: The Design of International Contracts Under Uncertainty About Military Technology Change, by Justin Key Canfil Page 19 “No More Free Bugs”: The History, Organization and Implications of the Market for Software Vulnerabilities, by Ryan Ellis Page 41 Can Laws Deter Cyber Attacks?, by Nadiya Kostyuk Page 58 Blind Spots – Tracking targeted Threats to Civil Society in Reporting, by the Infosec Industry, by Lennert Maschmeyer Page 91 Data Flows & National Security: A Conceptual Framework to Assess Restrictions on Data Flows under GATS Security Exception, by Martina Ferracane Page 123 Toward a ‘Digital Silk Road’ Strategy? Chinese State-Firm Coordination and Technology Policy Developments in Southeast Asia, by Shazeda Ahmed Page 144 Upstream Bundling and Leverage of Market Power, by Greg Taylor and Alexandre de Cornière Page 163 Incorporating Cyber-Physical Systems in the Global Cyber Regime Complex , by Mark Raymond and Laura DeNardis Page 186 How Internet Infrastructure Emerges in the Global South: Sociotechnical Aspects of an Internet Exchange Point ,, by Fernanda Rosa Knowing Thyself, Not Just Thine Enemy: Explaining Delays in the Development of International Rules for Cyber Conflict Justin Key Canfil1 Introduction The word “cyberattack” has become a household word in recent years. The problems associated with cyber insecurity are pervasive and widespread; by some estimates, the global annual cost of cyberattacks will come to $6 trillion by 2021 (Morgan, 2016). Cyber is considered by the overwhelming majority of scholars to be what Jervis (1978) calls an “offense-dominant” domain, its primary characteristic being that $1 spent on offense costs more than $1 to offset with defense. In Jervis’ (1978) framework, the cyber world is also “doubly dangerous” because offensive tools are often indistinguishable from those used for active defense or espionage. The traditionally preferred tool for managing offense-dominance is deterrence, but deterrence extremely difficult in cyberspace (Libicki, 2009; Kramer, Starr, and Wentz, 2009). Over the objections of some scholars (Valeriano and Maness, 2015; Rid, 2013), worries about a “cyber Pearl Harbor” abound in the media and defense circles (Stavridis 2019; Clarke and Knake, 2011). Recent news that hackers allegedly connected with the Russian government possessed the ability to hold US critical infrastructure at risk has only exacerbated these concerns (Perlroth and Sanger, 2018). Nor is the US the only vulnerable party. Capability also correlates with vulnerability, since developed countries tend to be the most powerful operators but are also the most-networked (Significant Cyber Incidents, 2018), and US adversaries have been targets, as well (Healey, 2019). The stakes, it would seem, are shared by all. Despite universal interest in mitigating the risks of cyber conflict, however, powerful states cannot seem to agree on how international law applies. Some Western experts were optimistic after a number of significant breakthroughs in 2015 (Healey and Maurer, 2017), but subsequent 1 PhD Candidate, Columbia University Department of Political Science; Affiliated Scholar, Department of Law, London School of Economics. [email protected] - The author would like to thank Columbia University SIPA and the Carnegie Corporation for their generous research support. 2 negotiations at the United Nations Group of Global Experts (UNGGE) broke down in 2017 when some participants backtracked (Korzak, 2018). These problems were not a surprise. The international community has been aware of potential problems associated with an ungoverned cyberspace for many decades. Healey and Grindal (2012) mark the earliest inception of cyber conflict as having occurred in 1986. Thirty-plus years later, and despite considerable efforts, no well-articulated model of binding international law applicable to cyberspace has gained universal acceptance. Despite cyber’s novelty, it is not the first time the international community has debated