Earlier this month, the Obama Administration unveiled its legislative proposal to enhance America’s cybersecurity, calling for better protection of systems running critical infrastructure like the electrical grid, financial systems and nuclear power plants. The White House also laid out  an international cyberspace strategy for strengthening Internet security while helping ensure that citizens everywhere have the freedom to express themselves online. The Pentagon’s Cyber Command has stated its intention to strike back at cyberattacks that threaten U.S. national security. And the Chinese, Russians, and other nations aren’t far behind with their own strategic plans for cyberspace.

Today, we find ourselves at an inflection point in the Internet’s short history. All modern armed conflict now invariably features a cyberspace component: consider the 2006 Israel-Hezbollah war; the 2007 “Web War I” denial-of-service attacks on Estonia; the 2008 Russian-Georgian war over South Ossetia; continuing hostilities in Iraq and Afghanistan; and internal clashes throughout the Middle East. Yesterday’s kinetic strikes on communications infrastructure, hacked computer networks, and geolocation-guided missile attacks have given way to sophisticated cyberattacks designed to shut down critical national infrastructures or to coerce or intimidate a government or civilian population. Consider, for example, the 2010 Stuxnet worm that successfully attacked and disrupted Iran’s nuclear facility in Natanz, which raised new questions about the Internet’s potential for becoming a new weapon of war.

Should we be worried about accelerating moves toward a militarization of cyberspace? Understandably, some observers express doubts about the threat posed by cyberwarfare: the term itself is ill defined, having been used to describe everything from computer-enabled surveillance to critical infrastructure attacks. Some cyberwar alarmists may even have other motives for needlessly ramping up fears, including  desires to diminish Internet privacy, encourage Sino-American rivalry, or increase the value of private commercial interests in cybersecurity ventures.

Yet a troubling recent shift toward censorship, surveillance, sabotage, and—yes—militarization in cyberspace is unmistakable. The United States recently launched USCYBERCOM, a new combatant command charged with both defensive and offensive operations. China and others are responding in kind. Surveillance in the public and private sectors is now commonplace, Internet filtering is becoming more accepted worldwide, and a growing culture of cybercrime and state-sponsored espionage threatens industry, government and civil society alike. The ways and means of cyberwarfare remain distinct from those of other conflicts, but there exist no international rules of engagement for this largely ungoverned domain.

All of these trends have the potential for converging into a perfect storm that threatens traditional Internet values of openness, collaboration, innovation, limited governance and free exchange of ideas. As global competitors continue to develop their cyber capabilities and expand their national influence over the Internet, the world community can minimize negative consequences of international rivalries and preserve the best of the Internet’s core values by recalling three lessons learned from past arms races:

1. Strategic Advantages Are Fleeting. The United States was the first nation to develop nuclear weapons, and it retained this technical advantage for four short years. The U.S. is the dominant nation in assigning domain names, routing traffic, creating new Internet technologies, and developing protocols and standards. But Brazil, China, India, Russia, and other nations are actively seeking opportunities to play a stronger role in Internet governance. Their rapidly growing technical capabilities, manufacturing expertise and domestic user markets will make it difficult to disregard their views in issues relating to Internet governance. Acting collectively or alone, one or more of these regional powers could establish rival Internet systems, fostering a “technical Cold War” in which China, Europe and the United States develop technically different secure protocols that fit each society’s values, ethics and legal systems but do not “speak” to each other. The result would be a balkanized Internet with dramatically reduced network effects. Unless all stakeholder nations are permitted a degree of involvement in Internet governance, the global network’s continued interoperability could be at risk.

2. Don’t Get MAD. During the Cold War, the doctrine of MAD (mutually assured destruction) led to the end of direct warfare between the major powers. The possibility that any conventional conflict could become a nuclear war in which both attacker and defender were destroyed served as a powerful deterrent. In cyberspace, however, there exists no analogous “mutually assured disruption” deterrent. Cyberattacks are fundamentally asymmetric, networked and distributed events: protocols governing Internet traffic remain insecure, attackers can easily work across multiple international jurisdictions, the origin of packets can be disguised, and prosecutions frequently remain impractical even when relevant laws exist. Deterring an adversary is difficult when consequences cannot be delivered effectively. Even if it were possible to replicate a truly MAD state in today’s cyberspace, “mutually assured disruption” does not hold the same promise of a bipolar equilibrium between Cold War rivals. To arrive at effective solutions, nations must abandon the inadequate strategic posture of MAD military deterrence in favor of collaborative approaches to protecting the world’s computer networks.

3. Talk Is Cheap(er). Between 1940 and 1996, the United States alone spent over $8.66 trillion (in current dollars) on an arms race that resulted in a net decline in the national security of both sides. The costs for preventing, defending against and repairing damage from cyberattacks on corporations alone have been estimated to exceed $1 trillion globally every year. Cyber arms control agreements may not be realistic in light of the current absence of shared understandings about the Internet’s core values. For example, China and Russia define cyberwar to include dissemination of information “harmful to the spiritual, moral and cultural spheres of other states” and argue for greater state surveillance capabilities. The United States, by contrast, focuses on cyberwar’s infliction of physical and economic damage and considers reduced anonymity on the Internet as damaging to its core values of privacy and free speech. To ensure that cyberwarfare becomes constrained and validated by politics, ethics, and the development of shared norms, values and objectives for cyberspace, responsible stakeholders must remain dedicated to the process of forming such shared understandings. Absent continued discussion, the debate can become unbalanced in favor of value-destroying military and technological responses to emerging threats.

The militarization of cyberspace is not a far-fetched fear. While  warnings of “digital Pearl Harbors” might be overheated rhetoric, a very real geopolitical conflict has arisen among political rivals contending with a steadily rising tide of cybercrime, surveillance and Internet espionage. Nations tempted to manage this conflict in ways that mimic strategies and behaviors borrowed from past arms races will subvert the open architecture that makes possible the Internet’s flexibility, scalability, reliability, and adaptability. As the world community seeks to chart a responsible course toward a future that protects and preserves the Internet’s tremendous benefits to our modern networked world, it will discover that successful approaches will be characterized by the same features that best describe the Internet itself: innovative, collaborative, efficient, distributed, and interdependent.

Friday, April 8, 1-3pm
Yale Law School, Room 122

You are cordially invited to attend a talk at Yale Law School on Friday, April 8, 1-3pm in room 122, with Peter Schreiber who will discuss current and future legal and public policy implications facing geospatial technology, the GIS industry, and GIS users.

About the talk:
The discussion will focus on the expanding application of geospatial technology relative to contracts and licensing law; tort law including mission critical applications and navigational guidance; software patents, “copyrightability” of GIS data and the battle between copyright and public records laws; the availability of geospatial data in the post-9/11 era under FOIA and Public Records acts; the 4th Amendment and GPS tracking and redistricting; geopolitical boundary controversies; geo-locational privacy; and the potential legal liability risk exposure that these topics bring. This presentation should prove to be very thought-provoking.

About Peter Schreiber:
Peter C. Schreiber is the Managing Attorney for the Contracts and Legal Services Department of Environmental Systems Research Institute, Inc. (Esri). He is Guest Lecturer at the GIS Master Program at the University of Redlands, and has also been an Adjunct Professor at the University of California, Riverside Extension and where he has developed and taught a class entitled The Digital Information Age: Law and Public Policy that explores GIS and other high technology-related legal issues. He is currently working on a legal casebook tentatively entitled Geospatial Law and Public Policy. One federal government agency considers him one of the top three legal practitioners in the area of map law in the country.

Mr. Schreiber is a member of the State Bar of California and the American Bar Association, and a member of the Intellectual Property Law sections of each organization. His practice areas include intellectual property, licensing, data rights, and related transactional business matters including mergers and acquisitions. He received his Juris Doctorate from the McGeorge School of Law, University of the Pacific in Sacramento, California, and has a Bachelor of Science degree with an emphasis in Marketing Management from the Walter A. Haas School of Business Administration, University of California, Berkeley.

Q&A session to follow.

Co-sponsored by Professor Richard Brooks, Yale Law School & The Yale Information Society Project

These ideas are still taking shape, but it was great to be able to work them over with conference participants from civil society groups, law firms, and governments — participants who came from China, Thailand, India, Israel, Canada, and a host of other countries that have all dealt with online safe harbors in different ways. Many thanks to the organizers of the conference, to the Yale ISP and the Kauffman Foundation, and to the fine restaurants and street vendors in Beijing’s Haidian District.