Interview: Hacker OPSEC with The Grugq

grugq body Interview: Hacker OPSEC with The Grugq The Grugq is an world renowned information security researcher with 15 years of industry experience. Grugq started his career at a Fortune 100 company, before transitioning to @stake, where he was forced to resign for publishing a Phrack article on anti-forensics. Since then the Grugq has presented on anti-forensics at dozens of international security conferences, as well as talks on numerous other security topics. As an independent information security consultant the Grugq has performed engagements for a wide range of customers, from startups to enterprises and the public sector. He has worked as a professional penetration tester, a developer, and a full time security researcher. The Grugq’s research has always been heavily biased towards counterintelligence aspects of information security. His research has been referenced in books, papers, magazines, and newspapers. Currently an independent researcher, the grugq is actively engaged in exploring the intersection of traditional tradecraft and the hacker skillset, learning the techniques that covert organisations use to operate clandestinely and applying them to the Internet. You can follow him on Twitter at @thegrugq.

John Little: You blog and have given conference presentations on Hacker OPSEC. You started doing this before the recent NSA revelations (and the general hysteria surrounding intelligence collection) but you were already warning hackers that states had superseded them as the internet’s apex predator. In just a couple of years we’ve moved from the seeming invincibility of LulzSec, to high profile busts, and now onto serious concerns being raised about the every aspect of the internet’s architecture, security models, and tools. Rock solid OPSEC is a refuge but maintaining it for long periods of time under significant pressure is very difficult. The deck is obviously stacked against anyone trying to evade state surveillance or prosecution so where do freedom fighters and those with less noble intentions go from here?

The Grugq: You raise a number of interesting points. I’ll ramble on about them in a moment, but before that I’d like to clarify for your readers a bit about where I am coming from. Firstly, I am not a “privacy advocate”, I am an information security researcher. My career in information security has been mostly focused around denial and deception at the technical level.

Recently, however, I became aware that this “fetishizing the technology” approach is simply not effective in the real world. So I turned to studying clandestine skills used in espionage and by illicit groups, such as narcotics cartels and terrorist groups. The tradecraft of these clandestine organizations is what I am trying to extract, inject with hacker growth hormone, and then teach to those who need real security: journalists; executives traveling to adversarial environments; silly kids making stupid life altering mistakes, etc.

The media has actually expressed a lot of interesting in improving their security posture, and I am engaged in helping some journalists develop good OPSEC habits. Or at least, learn what those habits would be, so they have some idea of what to aspire to. There is a strange intransigence with some who reject improved security with the line: “but we’re not criminals! Why do we need this?” Well, the only answer I have is that OPSEC is prophylactic, you might not need it now, but when you do, you can’t activate it retroactively. As I phrased it in my “The Ten Hack Commandments” — be proactively paranoid, it doesn’t work retroactively.

So, that’s how I’ve arrived at hacker tradecraft, and where I’m trying to take it. On to the issues you’ve raised about good OPSEC and living a clandestine life.

The stress of the clandestine lifestyle is something that people tend to gloss over all too easily. This is an observation that comes up frequently in the literature about terrorist groups, espionage agents, and revolutionaries. There are a lot of compound issues which combine to make this sort of “good OPSEC” lifestyle very unhealthy for the human mind:

1. Isolation
2. Compartmentation of the ego
3. Paranoia related stress

Isolation provides the strongest security, and all good security involves a significant investment in maintaining a low profile, “going underground”, “off the grid”, etc. This means that the clandestine operative has reduced visibility over the social and political landscape, and their telemetry will suffer. Degraded telemetry means they will be unable to self-correct and reorient to what is happening around them. If they are part of a cell, a group of operatives in communal isolation, they will tend to self reinforce their ideology. Effectively radicalizing and distancing themselves further from the mainstream norms of society. This additional isolation can create a feedback loop.

If the operative isn’t living a completely isolated clandestine lifestyle in their Unabomber cabin, they will have to isolate parts of their individual selves to compartment the different aspects of their lives. There will be their normal public life, the one face they show to the world, and also a sharded ego with their clandestine life. Maintaining strict compartmentation of the mind is stressful, the sharded individual will be a sum less than the total of the parts.

As if that wasn’t enough, there is the constant fear of discovery, that the clandestine cover will be stripped away by the adversary. This leaves the operative constantly fretting about the small details of each clandestine operational activity. Coupled with the compartmentalization of the self, the operative also has to stress about each non-operational activity, will this seemingly innocent action be the trigger that brings it all crashing down?

Seriously, maintaining a strong security posture for prolonged periods of time is an extremely stressful and difficult act. Operatives working for the intelligence agencies have a significantly easier time of it than those on the other side of the protection of the state: e.g. their agents; hackers; terrorists, and narcos. The “legal” operatives have peers that they can confide in and unwind with thanks to the protections of the nation state. The true clandestine agents must be guarded with their peers, the public and the adversary. Any peer might be an informant, either now or in the future. Opening up and being friendly with their peers is part of what lead to the unraveling of the lulzsec hacker group.

This leaves people who need to operate clandestinely and use the internet with a real problem. How can you be on the Internet and isolated? Well, compartmentation is the only answer, but it is expensive and fragile, even a single error or mistake can destroy the whole thing. This is why I’ve advocated that people who seek to operate clandestinely combine deception, that is, multiple covers, for their compartmented activities. It is possible to embed tripwires into the cover identities and be alerted when they’re blown.

My thinking these days is that an operative must minimize the time that they are engaged in a clandestine operation. Something like the theory of special operations, the period of vulnerability only grows the longer the operation goes on. Clandestine operational activity must be compartmented, it must be planned, it must be short in duration, and it must be rehearsed (or at least, composed of habitual actions). It is possible to do, and I believe that even non-experts can pull it off, but it must be limited in scope and duration. Prolonged exposure to underground living is caustic to the soul.

John Little: There is a significant amount of paranoia circulating in hacker and activist communities right now. How much of it is justified? More importantly, how should people go about conducting a realistic personal risk assessment before they start piling on layer after layer of OPSEC? How can they strike that balance between the tedium and isolation and security that is “good enough”?

The Grugq: There is certainly a great deal of paranoia, some of it justified, some of it unjustified, and some of it misdirected. I think it is important to remember that paranoia is unhealthy, it is paralyzing, it is divisive, and it is harmful to operational effectiveness. The goal to aim for is caution. Allowing the adversary to inflict paranoia on you, or your group, gives them an easy psychological operation “win”. So lets drop the paranoia and figure out what security precautions we must take in order to operate safely and effectively.

As you bring up, the core to effective security is performing a risk assessment, deciding what information is most important to protect, and then developing mitigation strategies to safe guard that information. There are books and manuals that go into this in great depth, so I won’t spend a lot of time on the details.

A risk assessment should focus on the most high impact items first. To determine this, you list your adversaries and group them by intent and capability. So the NSA would have a very high capability, but probably has a low intent of targeting you. Then you make a list of information about your secrets, what you are trying to protect, and group that based on the negative impact it would have if it were in the hands of an opponent. The most damaging information must be protected from the likely and the most capable adversaries.

Generally speaking, if you’re engaged in a clandestine activity that you want to protect, the core information to secure is:

1. Your identity
2. Your clandestine activity
3. Your association with the activity

So lets take the example of the Dread Pirate Roberts, who’s been in the news recently after he got arrested. His adversaries were highly capable, including a wide range of law enforcement officials from across the globe. They were highly motivated, because DPR and his site were very high profile. So you have high capability, and high intent. Not looking good so far.

The information that was most important was his personal real world identity, followed by his location. Protecting that information would require:

1. Robust compartmentation
2. Reducing his exposure to the most capable adversaries (e.g. leave the USA)
3. A strong disinformation campaign
4. Limiting his time in “the dragonworld” (to use J. Bells’ term for the underground)

For most people engaged in a clandestine activity this list is probably what they will want to follow. The exact mitigation enacted for each component in the list is case dependent. As we discussed earlier, and as you’ve said, we need to find a good balance between an aggressive security posture and living a rewarding life.

Remember, the goal is to reduce the quantity and the quality of information available to the adversary.

John Little: So a point which both of us comment on with some regularity is the fact that security is rooted in behavior rather than technology. That’s always been true to some extent but never more than now. Tools are suspect, almost across the board. And a lot of assumptions about security have to be tossed aside. But one thing is certain, hackers adapt to the adversary. Terrorists do this well too. An attacker who can successfully parse all this and adapt is going to be a very significant threat. How can states counter the advanced threats? How can they counter hackers who know how to manage OPSEC and technical security to evade detection?

The Grugq: HUMINT. More of it.

The role of SIGINT in intelligence has basically been this weird bubble, starting around WWII when the love of SIGINT started until recently, when some of the SIGINT capabilities are starting to go dark. SIGINT is much more attractive than HUMINT. Signals don’t lie. They don’t forget. They don’t show up late to meetings, or provided intelligence information that is deliberately deceptive. SIGINT is the heroin of intelligence collection. The whole world got hooked on it when they discovered it, and it has had a very good run… it will probably continue to be useful for decades more, but really… the real utility of SIGINT will start to diminish now. It has to. The amount of encryption being deployed means that many mass collection capabilities will start to go dark. I, of course, am in total favour of this. I think that the privacy and protection of the entire Internet are more important than the ability of the US government to model the “chatter” between everyone using the Internet. The reduced security that the US government has tried (and succeeded) to force on the entire world is makes all of us less safe against any adversary.

SIGINT is really the sort of intelligence collection technique that needs to lose its prominence in the pantheon of intelligence gods. It is very easy for a serious adversary to defeat: basic tradecraft from the days of Allen Dulles will work (leave the phone behind, have the meeting while taking a walk). This tradecraft technique is described by Dulles, in 50 year old KGB manuals, and by Hizbollah operatives last year. The only way to catch people who are capable of any sort of OPSEC / tradecraft is via: a) Mistakes that they make (very easy for amateurs to make mistakes), or b) Via HUMINT. Spies catch spies, as the saying goes. It might be updated to, spies catch clandestine operatives.

Historically, the value of HUMINT has been very hit and miss, but those “hits” are extremely valuable. The major successes of the Cold War were almost all the result of human beings who became spies for the opposition: Ames, Hanssen, Walker, Howard, Tolkachev, etc. There are myriad cases with terrorist groups as well, informants is the best weapon against them. Relying on SIGINT is essentially relying on the adversary (terrorist groups) having poor tradecraft and terrible counterintelligence practices. This is simply not the case, at least not with sophisticated dangerous groups.

Double down on HUMINT and scale back SIGINT. SIGINT can be evaded, but HUMINT, essentially exploiting trust relationships, will always bite you in the ass.

John Little: Hackers are going to have to evolve in the same direction though aren’t they? Technology isn’t their salvation from an OPSEC perspective, in fact it is really the weakest link in their security model, so they will have to fully embrace good old-fashioned tradecraft and deception to avoid detection. Do you see an appreciation of that in the hacking community? It seems like a lot of big name hackers are still making fairly simple OPSEC mistakes.

The Grugq: Exactly, this is really the understanding that needs to sink in: technology alone will not save you. Hacker culture, almost by definition, is technology obsessed. We fetishize technology and gadgets, and this leads us to the deep-seated belief that if we just use the right tool, our problems will be solved. This mindset is fundamentally wrong. At best, I would call it misguided, but really I believe that most of the time it is actually counter productive.

Trust is the weakest link in the security chain, it is what will get you in the most trouble. This goes double for trusting in technology (even, as Bruce Schneier says “trust the math”). Tech is not the path to security. Security comes from the way that you live your life, not the tools. The tools are simply enablers. They’re utilities. OPSEC is a practice.

Expecting the tools to provide security for you is like buying a set of weights and then sitting around waiting for your fitness to improve. The fallacy that technology will provide the solution has to be seen for what it is, a false promise. There is nothing that will protect secrets better than not telling them to people!

Good OPSEC is founded on the same basic principles that have governed clandestine activities since the dawn of time. Hackers might be new, but good hackers require the same set of skills as the second oldest profession. Good OPSEC is timeless, and it stems from the application of the principles of clandestine operation, using caution and common sense.

The “73 rules of spycraft” by Allen Dulles was written before the Internet, before hacker culture (even phreaker culture) existed. I believe it is one of the most valuable guides available to understanding how to implement OPSEC. (As an interesting aside, harking back to one of my previous points, Dulles recommends taking vacations to get away from the stress of “work”.)

There are a lot of very public hackers who exhibit terrible security practices. Many of them are techno fetishists rather than espionage geeks, consequently they fail to understand how limited their knowledge is. Its the Dunning–Kruger effect in full tilt. They don’t do the research on their opposition and don’t know what sort of techniques will be used against them. By the time they figure it out, they are usually just an opportunity for the rest of us to practice Lessons Learned analysis. Of course the great tragedy is that many of the hacker community suffer from hubris that prevents them from actually learning from other’s failures.

A friend of mine paraphrase Brian Snow (formerly of the NSA) “our security comes not from our expertise, but from the sufferance of our opposition”. As soon as the adversary is aware of the existence of secrets worth discovering, and has the resources available to pursue them, hackers rapidly learn how good their OPSEC is.

John Little: I’ve always been amazed at the very public profiles of some hackers, especially where conferences are concerned. Granted, most are legitimate security researchers but there are also many in the community who occupy a grey area that is guaranteed to draw attention from intelligence or law enforcement agencies. Are hackers largely underestimating the skill with which intelligence agencies can penetrate, encircle, and absorb aspects of their community? Are we in for significant changes in the relationship between IC/LE and hackers, how hackers view themselves from a security standpoint, and how hackers engage each other?

The Grugq: Yes, very much so. There is a growing awareness of the altered threat landscape, and the need for an improved security posture. For decades the hacker community has been myopically focused on SIGINT threats, the sorts of technical attacks that have technical solutions. The HUMINT threat has been misunderstood, or ignored completely. That is changing as the hacker community is starting to learn and practice counterintelligence.

It is a difficult transition though, as some core counterintelligence principles run directly counter to the hacker ethos. There are a lot of factors at play, but one of the important ones is that hacker culture is very much a research culture. There is a great deal of knowledge exchange that goes on rather freely within various segments of the community. The problem, of course, is that the trading of information, which is so central to hacker culture, is the antithesis of a strong security posture. Many hackers realize this, so they only share with trusted friends, who then only share with their trusted friends, who then… and then suddenly everyone is on lists and someone is going to jail.

Security conferences are important events for hackers where they disseminate their research and findings, and socialize. This makes these events very target rich environments for intelligence agencies looking to build dossiers on hackers. They can see who is socializing with whom, attempt to recruit people, elicit information on capabilities, install malware on computers, collect intel from computers, and so on. That hackers would expose themselves to these activities seems very counterproductive for robust security. What gives?

The hacker community has a slightly different set of moral and ethical guidelines than mainstream society, which leads to problems with the authorities. Broadly speaking, few hackers view breaking into a system as unethical or morally wrong. Damaging the system, stealing information, or otherwise abusing the system is wrong. Simply accessing it is a challenge. The police, of course, view things differently: an illegal act is an illegal act.

For hackers the secret knowledge that they discover from active research is something to be proud of, and so we’re very excited to brag about our findings, activities or capabilities. This information is treated as something that will be kept within the community, bound by the FrieNDA. Of course, this is all based on trust, which is a very dangerous foundation for any security system. As Dulles’ says, the second greatest vice is vanity, the third is drink. Security conferences are not the places to avoid those vices!

So there is certainly this dynamic of wanting to brag about our discoveries from active research, but at the same time the tension of “what will happen if this leaks?”. These days we know what will happen, over zealous law enforcement and prosecution: weev, Aaron Schwartz, Stephen Watt, Dan Cuthbert, etc. The authorities view hackers as modern day witches, something to be feared and destroyed. It is unfortunate for the hacker community in many ways. Intelligent people who could contribute to mainstream society have their lives destroyed. So the repercussions of what are generally harmless activities can be devastating and life altering. Unfortunately, the protections that hackers turn to tend to be technological, but the problem is humans.

The hacker community is easy prey for law enforcement and the intelligence community. Very few hackers are savvy enough to spot a recruitment pitch, or to understand that what they think is amusing others view as criminal. I think this is starting to change. These days there is a lot less discussion about illegal hacking of systems (whether for monetary gain or not), and more about how to protect against the massive Internet surveillance that has been made public.

In this, I think, the hacker community and the general public are finding a lot of common cause against the LE/IC. There is a lot of good that will come out of this realization that the technology of privacy is actually important and should be ubiquitous, and easy to use. The default should be secure. Of course, as we know, this won’t help that much if someone is going around making basic OPSEC errors. So strong privacy protections for everyone will make the job of the LE/IC a bit harder, but it will also make everyone safer. I think that is a fair trade off.

Similarly, I think a lot of hackers would be quite happy to help the LE/IC community with technology support and ideas. The problem is that the relationship is a difficult one to establish. The IC is a black-hole, sucking in information and returning nothing. I don’t know how there can be meaningful engagement between the two communities, which I believe is a tremendous shame. There is a lot that can be learned from both sides, and I would love for the IC to contribute back. Law enforcement doesn’t interest me that much. Personally, my interest with LE begins and ends with studying their tools techniques and procedures for counterintelligence purposes. Something, that historically at least, few other hackers actually do. That is changing.

Hackers are learning to tighten up their security posture, they are learning about the tools techniques and procedures that get used against them, and they are learning how to protect themselves. Of course, the preponderance of criminal activity is committed in places where lax enforcement of computer crime laws allows blackhats to operate inside “protected territory”. In the long term, this is an extremely dangerous situation for those guys, of course, because without an adversarial environment they won’t learn how to operate securely. When the rules change, they will be caught out, completely unprepared.

The intelligence agencies and law enforcement departments have decades of organizational history and knowledge. The individual members can display wide ranges of skill and competence, but the resources and core knowledge of the organization dwarf what any individual hacker has available. Many of the skills that a hacker needs to learn, his clandestine tradecraft and OPSEC, are the sort of skills that organizations are excellent at developing and disseminating. These are not very good skill-sets for an individual to learn through trial and error, because those errors have significant negative consequences. An organization can afford to lose people as it learns how to deal with the adversary; but individual cannot afford to make a similar sacrifice — after all, who would benefit from your negative example?

The skills that hackers do have, the highly technical capabilities they can bring to the game, are not useful against an adversary who’s primary skill is manipulating other people. Knowing how to configure a firewall, use Tor, encrypt everything, etc. isn’t going to do much good if you also attend a conference without a highly tuned functioning spook-dar and a working knowledge of anti-elicitation techniques. The hackers are hopelessly outclassed at this game. Hell, the majority of them don’t even know that they’re playing!

Times are changing though, and hackers are starting to learn: OPSEC will get you through times of no crypto better than crypto will get you through times of no OPSEC.

Tara Maller: Enhancing the Cyberdiplomacy Arsenal

tramillersquare Tara Maller: Enhancing the Cyberdiplomacy ArsenalTara Maller is a research fellow in the National Security Studies Program at the New America Foundation. Her current areas of focus include sanctions, diplomacy, intelligence, cybersecurity, terrorism and women in security. Previously, she worked at BrightWire Inc., a NY-based startup, where she served as the managing editor and managing director of Operations, Americas. In 2011, she received her Ph.D. in political science at MIT, where her dissertation focused on information collection, diplomacy and sanctions. During this time, she was an affiliate of MIT’s Security Studies Program and she served as research fellow in the International Security Program at the Belfer Center for Science & International Affairs at Harvard’s Kennedy School of Government. Previously, Maller worked as a military analyst at the Central Intelligence Agency, focusing on the Iraq insurgency. She has published articles in The Washington Quarterly, Studies in Conflict and Terrorism and PS: Political Science and Politics. She has also written for, and The Huffington Post and has appeared on CNN’s Erin Burnett OutFront and Bloomberg’s Bottom Line. She graduated with a B.A. in government from Dartmouth College and received a M.A. in international relations from the University of Chicago. You can follow her on Twitter at @TaraMaller

This working paper was written for the conference on “China-US Cooperation & Disagreement Management with a Vision of a New Type of Relations.” The conference was hosted by the China Institute of International Studies and took place August 18-25, 2013 in Changchun and Beijing. The paper was presented as part of a panel on cybersecurity.

A few months ago, the Syrian Electronic Army hacked an AP Twitter account and posted a tweet that read, “Breaking: Two Explosions in the White House and Barack Obama is injured.” It was quickly remedied with the AP locking down the site and individuals indicating this was not true, but the tweet had a short-term impact on the market with the Dow dropping more than 140 points in response to the initial tweet (and then rebounding). Early this month, the same group took over the blog account of a British journalist with a message stating, “Nuclear strikes on Syria: the genie is already out of the bottle.” While these attacks did not cause physical damage to infrastructure or loss of life, these examples illustrate how easily the cyber realm allows non-state actors and individuals to employ an asymmetric tactic to pose potential economic or military harm to larger countries like both the United States and China. This can be done through various types of attacks including ones that put out false information, steal information or deny and disrupt services. While both the US and China have bilateral grievances and legitimate disagreements with each other in the cyber domain, cybersecurity is an issue that goes beyond the US and China. Both countries ought to be able to work together to recognize that they share a mutual interest in cooperating on cybersecurity because a variety of actors in the international system can pose a threat to the prosperity and well-being of both countries over the longer-term.

The purpose of this conference working paper is to emphasize the importance of diplomacy in the realm of cybersecurity, point out some of the obstacles to diplomatic progress and suggest some ways to start moving forward on the cyberdiplomacy agenda.

While we’ve seen cybersecurity rise to the top of the United States’ foreign policy agenda, we haven’t yet seen the full-fledged diplomatic effort that is needed to address associated issues; nor have we seen concrete results. Nevertheless, we can identify promising signs that both the US and China are ramping up efforts to engage in dialogue on these issues. Just this week, Christopher Painter, the US State Department Coordinator for Cyber Issues, acknowledged the depth of cooperation on the issue by saying, “I know I’ve been to China more than any other country since I’ve taken this job.” In June, China’s Ministry of Foreign Affairs announced it had set up a cyber affairs office “to coordinate deal diplomatic activities related to cyber affairs.”

To date, we’ve seen some incremental steps that are promising, but more can be done to overcome barriers to cyberdiplomacy and enhance the cyberdiplomacy arsenal. Both the US and China play critical roles in ensuring that a diplomatic strategy lies at the core of joint US-Sino efforts to resolve cybersecurity issues. Both countries must work together to establish concrete frameworks, mechanisms and communication channels for working through these difficult and complex cyber issues.

While we have not yet seen a cyber attack lead to a military conflict, nor have we seen a cyber attack carried out as an act of war or in the form of a deadly terrorist attack, these remain serious and real threats to both countries. In the interconnected and globally interdependent world we live in, a large-scale cyber attack on either the United States or China – whether it be economic or kinetic in nature – would have ripple effects felt beyond the borders of both countries. The US and China share incentives to cooperate to secure cyberspace even if they have bilateral disagreements about the norms governing their own cyber activities. Having said that, the divergent viewpoints between the United States and China on matters related to economic espionage and intellectually property need to be directly addressed on a continual basis and need to be taken seriously or they have the potential to heighten tensions between the two nations and undermine progress and cooperation in other foreign policy areas. However, patience is definitely needed by both sides, as diplomacy should not be expected to resolve all differences between the United States and China overnight.

My doctoral dissertation focused on the role of US diplomacy in the context of US sanctions episodes, so I come to this discussion as someone who has studied the value of diplomacy in the context of a wide range of difficult and complex issues. Many of these lessons from my work can be taken and applied to the challenges of cybersecurity. In this paper, I’ll set forth some of the challenges to cyberdiplomacy and suggest some mechanisms for overcoming these challenges. I’ll also address some concrete measures the US and China could take going forward in the realm of cyberdiplomacy.

Prioritizing the Cybersecurity Threat

Clearly, cybersecurity has become one of the primary areas of focus on the US national security agenda. In the March 2013 Intelligence Community’s Worldwide Threat assessment, the Director of National Intelligence, James Clapper, recently named the cyber threat as the number one threat to the United States. In a speech this fall, then U.S. Secretary of Defense Leon Panetta warned of the potential for a “cyber Pearl Harbor.” The possibility of a large-scale cyberattack on American soil with physical ramifications and loss of American lives is a real one. According to U.S. military officials, cyberattacks on critical U.S. infrastructure have increased 17-fold from 2007 to 2009. In 2011 alone, cyberattacks increased 40%. In the 2013 defense budget, cybersecurity is one of the few areas of defense spending projected to increase. The United States is concerned about cyber threats from a broad landscape of international actors – both state and non-state. According to a recent July 2013 report by the Congressional Research Service (CRS), “National Security Advisor Tom Donilon said in a speech on March 11 that concerns about cyber threats, not ordinary cyber crime or hacking, moved to the forefront of the agenda with China (up to the level of the President)…” The CRS report also notes that President Obama raised the issue of cyber threats as a “shared challenge” with President XI Jinping in a call on March 14, 2013.

In response to the growing concerns over the cyber threat, the U.S. Department of Homeland Security (DHS) and other Washington, D.C. professional organizations and universities have ramped up recruiting and hiring for cybersecurity jobs and educational programs. The Cyber Command at the Pentagon has also fortified its workforce and resources. Earlier this year, the Washington Post cited the dramatic growth of the US Cyber Command from 900-4000. However, we have not seen the same degree of proliferation of offices and roles dealing with cyber at the State Department. There is the Office of the Coordinator for Cyber issues and others who deal with internet-related topics at the State Department. In his Foreign Policy piece on this issue, Tim Maurer notes that, “the number of diplomats clearly pales in comparison to the number of warriors at Cybercom and other arms of the Pentagon, to say nothing of the cybersecurity elements at the Department of Homeland Security.” In June, China’s Ministry of Foreign Affairs announced it has set up a cyber affairs office “to coordinate deal diplomatic activities related to cyber affairs.” Globally, other countries also need to start ramping up the attention and focus on cyber-related issues. In a recent interview just last week with Christopher Painter, US State Department’s Coordinator for Cyber issues, he notes that, “There are probably now 10 counterparts to me around the world, which is a good thing because that elevates the discussion and policy issue, and grounds it in the reality that it’s not just this technical issue, it’s a policy area.” While these are all steps in the right direction, more needs to be done in the realm of cyberdiplomacy.

Obstacles to Diplomatic Progress on the Cyber Front

There are a number of challenges and obstacles to cyberdiplomacy – some of which are specific to cyber issues and others which generally plague diplomatic efforts on complex areas of disagreement.

The many components of cybersecurity: When we speak of cybersecurity one of the problems is that it encompasses a diverse set of areas that probably ought to be broken out into four categories as they require different types of discussions, norms and solutions. 1) cyberwarfare 2) economic espionage 3) cybercrime 4) cyber terrorism. The US and China have a vested interest in addressing the cyber landscape across all of these dimensions – in terms of bilateral relations and in dealing with the threat posed to both states from non-state actors (such as terrorist organizations and criminal groups).

The scope of the problem in terms of areas of vulnerability and perpetrators: Cybersecurity issues truly permeate through all aspects of our societies. From the individual user’s computer to electrical infrastructure to nuclear facilities, the vulnerable targets are vast, as are the potential perpetrators. Different areas of the cyber realm may require different solutions. Whether dealing with infrastructure targets or business computers or nuclear facilities, there may need to be different solutions to making sure these targets remain safe and that the international community understands the norms and penalties associated with different types of attacks on different types of targets. In addition, both state and non-state actors can carry out cyber attacks, so diplomatic efforts must address both of these areas.

The confusion over applying security paradigms: When dealing with cyber in the state to state realm, do traditional security paradigms and structures apply to the realm of cyber or is it something new in the context of international conflict? There seems to be confusion as to what international law applies with regard to concepts like deterrence or laws of war. The field is not nearly as mature as other areas of conflict, so diplomatic efforts are taking place outside an existing governing structure.

Mutual suspicions and tensions taint diplomatic processes: In addition, political leaders may face more general barriers to strong diplomatic outreach with regard to complex areas where tensions may be high or there maybe be areas of disagreement – China/US cybersecurity is no exception. Unfortunately, when mutual suspicions and hostilities are present, leaders tend to resist diplomatic outreach and it makes cooperation more difficult. It might also be more difficult to find In the United States, historically, we’ve seen US leaders criticized for wanting to adopt policies predicated on strong diplomatic engagement with adversaries or states with which we have disagreements. In Anatomy of Mistrust, Deborah Larson argues that mutual mistrust may actually create self-fulfilling prophecies between states and failures in cooperation. She argues that officials who fear and distrust one another are likely to take actions which essentially fuel more fear and distrust, which works to perpetuate a cycle by worsening the dynamic that already existed at the outset.

Political pressures and challenges to diplomacy: In general, political leaders may also worry about appearing weak to domestic or international audiences if they make diplomatic overtures or express a willingness to negotiate with certain actors or states. These concerns can be even more salient if they are thinking about reversing their position. In other words, leaders may worry that their previous strategies will be perceived as failures if they modify their positions and they may also fear losing credibility.

Diplomacy Matters

Diplomacy is not just symbolic. It provides a window into both sides’ decision-making processes and motivations – and increases trust between the parties involved. Increased diplomatic interaction also helps clarify the nature of the demands and resolve ambiguity or misperceptions that exist. All of this is necessary in the context of cybersecurity disagreements between the United States and China.

The United States and China both have legitimate concerns and grievances. However, these issues can only be resolved by maintaining open lines of communication and making a strong and concerted effort to cooperate on this very difficult issue and work to institutionalize this cooperation both bilaterally and multilaterally.

My dissertation research focused on the value of diplomatic engagement – not cybersecurity – but many of the overarching lessons regarding the concrete value of diplomacy can be applied to the cyber realm. In fact, my research looked specifically at diplomacy in the context of US sanctions across a wide range of difficult issue areas. So, these were all cases with their own sets of tensions as punitive policies were in place. In my research, I looked at more than 100 episodes in which the US imposed sanctions on other countries. When controlling for other variables, simply increasing the economic costs imposed on the target state did not lead to desired outcomes.

Diplomacy was critical to progress and diplomatic disengagement hindered efforts to attain desired outcomes. For example, in the most extreme cases, when the US completely disengaged with a country and closed its embassy in a targeted country, for instance, the rate of failure in attaining desired outcomes rose to 73 percent from 42 percent.

The Atlantic Council’s expert on cybersecurity, Jason Healey, writes in a recent article, “The cyber age has barely begun. But already cyberspace is so dangerous, and with so few norms, it has been called the new Wild West. Its future is still a jump ball, however, and there is no way of knowing how sensitive that future could be to the wrong decisions today.”

Both the US and China need to work to attain mutually agreed upon norms and rules governing the cyber realm. As with the traditional realm of war –without a set of international norms and structure in place, misperception may become increasingly likely with unintended escalation and negative outcomes for both sides. We can see the classic security dilemma at work in the realm of cyber – particularly since offensive and defensive measures can at times be indistinguishable from one another.

However, if the US and China don’t take strong diplomatic measures now to sort out disagreements and cooperate, we risk cybersecurity conflict becoming more and more entrenched over time – making it increasingly difficult to engage in diplomacy or engage one another to resolve differences, establish norms and work together. In addition, we run the risk of cyber attacks or cybersecurity disagreements polluting US-Sino relations in other areas or, in a worst-case scenario, unintentionally catalyzing conflict.

General Recommendations for Overcoming Diplomatic Barriers

In light of the previous barriers discussed, there are a number of recommendations that may help ameliorate barriers to diplomacy and help leaders opt for diplomatic engagement.

Emphasize that diplomacy does mean equal concessions, but it a process of communication, learning and even expressing disapproval: Diplomacy is a mechanism of communication between states. It does not need to convey an attitude of acceptance or approval of another state’s behavior. In fact, diplomacy can be used to convey harsh messages of condemnation, criticism, and even articulate threats to another state. Opponents of diplomacy often frame diplomatic endeavors as signals of acceptance of the other side, so framing diplomatic engagement as a way to apply positive and negative pressures can help overcome this limited view of diplomacy.

Engage in both public and private diplomacy: Concerns about reputation or credibility can be ameliorated by starting talks in private. While public displays of diplomacy, like the recent summit in California are critical, behind-the-scenes talks allow diplomatic foundations to be put in place. The US and China should be engaging in both forms of diplomacy on cybersecurity.

Highlight the many advantages of diplomacy beyond just attaining political outcomes: Diplomacy can yield a number of advantages beyond immediate attainment of desired outcomes Diplomatic negotiations can work to transform the nature of relationships between parties, build trust and lead to personal relationships between leaders in both states. There can be spillover effects into other areas and on other issues beyond cybersecurity.

Emphasize that diplomatic progress in one area, such as cybersecurity, can impact positive outcomes in other realms of foreign policy for both countries: Diplomacy can serve as a way to link a broad set of issues together and negotiate differences across these issues areas. Working to resolve differences in cybersecurity can also assist US-China relations and help with progress in other areas that serve both states’ interests.

Breaking down the cyber issues: Given that the areas of agreement and disagreement in the cyber realm span across different types of activities, it makes sense to try to work on these areas separately and establish frameworks, norms and international law treating these areas separately. In other words, breaking down the cyber issue into dimensions mentioned earlier (cyber-terrorism, cybercrime, economic espionage, cyberwar) and dealing with these as separate issues might make it easier to make progress faster on areas of agreement.

Start with small victories: Related to the point above, start with areas of cyber that the US and Chinese agree on and then address some of the more difficult areas of disagreement. Sometimes small mutual victories can work to help in fostering cooperation in later negotiations.

Moving Forward on Cyberdiplomacy

Both the US and China ought to embrace a strong push for cyberdiplomacy and work together to create a comprehensive international framework or treaty. A parallel effort should include the ongoing diplomatic meetings that have started –and continued high-level meetings on this issue.

While ideally an official agreement or framework will be put in place over time, the US and China ought to work on confidence-building measures and communicating redlines. The Strategic and Economic Dialogue meetings and the new Cyber Working Group, which first met on July 8 will be key to these efforts. In July, both sides agreed to talk more about the norms governing cyber activities and Defense Secretary Hagel emphasized the importance of US-Chinese cooperation.

Ramp up on cyber diplomats:The US should devote more resources to the diplomatic side of the cyber equation, namely at the State Department. The China-US Strategic Security Dialogue, State’s Cyber Coordinator and the newly announced Chinese cyber affairs office are all positive steps in the right direction. Both President Obama and Secretary Kerry ought to be having frequent meetings with Chinese leadership on cyber issues and other areas of importance to US-Sino relations. In his Foreign Policy piece Maurer suggests “Let’s start by growing our cyber diplomatic effort by at least a factor of five.”

Increase high-level cyber summits: Diplomatic summits and high-level meetings between leaders, like the recent meeting between both countries leaders at the Sunnylands Estate in California are critical and should be continued. Personal relationships are important. Larger summits, conferences and exchanges, such as this conference, are important for promoting a shared vision and for understanding the zones of disagreement.

Increase track two cyberdiplomacy efforts: In addition, track two diplomacy efforts like this conference are critical. Academics, journalists and researchers conversing and brainstorming about ways to find areas of agreement in the cyber domain are helpful in trying to find new and innovative paths that may not be on policymakers’ agendas. For example, the Center for Strategic and International Studies has been helping to organize bilateral talks with key Chinese leaders.

Create cyber milestones: The US and China should work to develop cyber milestones. This could take the form of symbolic goals or a timeline for certain small steps to be accomplished. Look historically to how norms developed around chemical, biological and nuclear weapons and determine if shared norms could create pillars for a new cyber weapons convention or cybercrime convention.

Define which current laws are applicable to cyber realm and define areas where international cooperation may be required to create new frameworks: In the Chris Painter interview mentioned earlier, he notes that the UN Group of Government Experts (which includes both the US and China), are issuing a final report that notes that existing international law included in frameworks like the UN Charter and the Law of Armed Conflict apply to the cyberspace domain. However, while existing frameworks may be applicable in some areas, there is definitely a need for additional new frameworks to govern cyberspace.

Establish a cyber hotline: The US and China should establish a cyber hotline like the one that was recently established between the US and Russia in June. This type of communication channel is valuable particularly in the event of any sort of cyber crisis between states.

Joint study on impact of attacks: In a 2012 paper by Greg Austen and Franz Stefan-Gady and published by the East West Institute, the authors propose that a joint study be carried out by the United States and China. The study would examine the “interdependence of their respective critical information infrastructure in terms of likely economic effects of criminal attacks with strategic impacts.” Joint studies looking at the impact of various types of cyber attacks are useful in highlighting the shared consequences and also help foster greater communication, cooperation and transparency between the US and China.

Make red lines clear: Both the US and China need to make red lines clear by clearly articulating its responses if certain lines are crossed and the types of penalties being considered in response to certain types of attacks with regard to non-state actors and states.

Devote significant time and resources to working through disagreements relating to intellectual property/economic espionage: Disagreements over intellectual property/economic espionage are at the heart of US-China differences of opinion in the realm of cyberspace. While hopefully both sides can be brought closer together in terms of their position on these issues, this will undoubtedly take time. This will most likely be the most difficult issue area on the cyberdiplomacy agenda. The East West Institute report suggests establishing a legal foundation to allow both countries to share information and work on joint assessments pertaining to intellectual property-related cases. It may also be worthwhile to try to separate this particular issue out from the other cybersecurity issues on the cyberdiplomacy agenda through separate working groups or officials specifically dedicated to bilateral discussions on these types of attacks. This may help prevent the issues of deepest disagreement from undermining progress being made on other aspects of cybersecurity.


While this paper emphasizes the important role of diplomacy in the realm of cybersecurity, the progress made via diplomacy must be carefully tracked and gauged over time. It is in the best interest of both China and the United States to find areas of agreement on these complex issues or the interests of both nations will be undermined in the long run. If the US, China and other countries can’t work together to govern cyberspace, we are going to see private companies start taking matters into their own hands by attacking back while individual countries start adopting punitive policies like sanctions to address such attacks. We will also see a rapid deterioration in relations between countries due to these attacks and spillover effects into other foreign policy areas of cooperation. This is not in the best interest of either the United States or China – and so both countries should devote significant time and resources to enhancing the cyberdiplomacy arsenal. Back in 2011, Henry Kissinger and Jon Huntsman called for a US-China cyber détente and that is exactly what both countries need to work on attaining right now.

Blogs of War Chrome Extension Updated

I’ve made a ton of changes over the last couple of days. The extension has been updated to pull national security news from dozens of my favorite sources. The list of U.S. government feeds in the mix has grown as well with multiple feeds from the Department of Defense, State Department, CIA and NSA added to the mix. The look and feel has been modified as well with each story being displayed on it’s own card composed of the headline and a brief summary.

The number of stories available in the extension has been boosted as well. It now pulls in the 50 most recent updates from these sources making it a pretty useful tool for a quick scan of the stories that matter.

Please rate it and drop a review on the Chrome Web Store to let me know what you think. Click on the install button below to add it to your browser.

2013 08 15 01.44.47 pm Blogs of War Chrome Extension Updated