The Corner

National Security & Defense

Why a Joint  ‘Cyber Security Unit’ or Treaty Probably Won’t Work

From the first Morning Jolt of the week:

Why a Joint  ‘Cyber Security Unit’ or Treaty Probably Won’t Work

President Trump on Twitter yesterday morning: “Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded..”

President Trump on Twitter yesterday evening: “The fact that President Putin and I discussed a Cyber Security unit doesn’t mean I think it can happen. It can’t-but a ceasefire can,& did!”

The good news is that someone – H.R. McMaster, perhaps? – managed to get in front of the president and was able to explain why creating a joint “cyber security unit” with the Russian government is unlikely to work. As Marco Rubio said, “Partnering with Putin on a ‘Cyber Security Unit’ is akin to partnering with Assad on a ‘Chemical Weapons Unit’.” (I suppose in both cases, those men know a lot about the subject.)

Elsewhere, Bloomberg View columnist Leonid Bershidsky wonders if the concept of an international cyber-security agreement could be broadened to become a major international treaty:

Attacks on civilian services, and especially on nuclear plants, are a different matter. They are unambiguous acts of war. It is known that the U.S. is capable of them, and it would stand to reason that Russia wouldn’t let itself be outdone. Nor would China and, given that cyberweapons are relatively cheap to develop, smaller players such as Israel or North Korea. And yet there are no rules of engagement for countries that have the capability to shut off each other’s power grids or, say, traffic light systems. There’s no cyberwar equivalent of the Geneva and Hague conventions, which set rules for the treatment of civilians and ban certain kinds of cruel weapons.

In February, the United Nations Security Council unanimously adopted Resolution 2341 calling on states to arm themselves against terrorist attacks on critical infrastructure. But what about such attacks initiated by other governments, not terror groups? It’s time there were some internationally recognized principles that applied to them, defining, for example, what constitutes an attack, what response is permissible, and what can and cannot be done to civilian networks. It would be helpful to establish some international attribution mechanism; a nation’s intelligence services cannot be trusted to make an assessment that would be used to justify international sanctions.

That’s a really wonderful idea that will probably never quite work. For starters, just about every foe that the United States has fought since the Geneva Conventions were enacted has violated them, more or less without the slightest regard for them or hesitation: al-Qaeda, the Taliban, Saddam Hussein, Serbian paramilitary groups, the North Vietnamese and Viet Cong, the North Korean and Chinese armies, Imperial Japan, Nazi Germany… In other words, a rule banning a particular weapon or act doesn’t really prevent that weapon from being used or that action from occurring by itself. Past experience tells us that many countries would sign the treaty banning certain forms of cyber-warfare and then promptly ignore it.

(Every U.S. administration ignores international treaties that it finds inconvenient. In 2011, the Obama administration approved secret arms shipments to Libya’s rebels and ordered NATO air and sea forces around Libya not to interdict the cargo planes and freighters transporting weapons into Libya from Qatar and the United Arab Emirates, violating United Nations resolution 1970 banning arms transfers into Libya’s civil war.)

Back at the beginning of the Obama administration, after having the chance to meet some of the country’s top cyber-security experts, I wrote, “cyber-warfare is, generally speaking, more controllable than a biological weapon, doesn’t run afoul of as many established treaties as a chemical weapon, is nowhere near as expensive and visible as a nuclear weapon, and is much harder to attribute than conventional terrorism. It is another asymmetrical tool that allows weaker countries and groups to play on the same field as the big boys.”

It’s the deniability and ability to “mask” the origin of cyber-attacks that make them particularly tempting for malefactors, rogue states, and hostile superpowers alike. It’s a chance to sucker-punch your foe anonymously. Way back when, one of those cyber-security experts compared cyber-warfare by asking “how do you win a boxing match when you’re blindfolded?” The answer was “you put the boxer in a suit of armor.” The only real way to win the fight is to harden your defenses until they’re impenetrable and no one wants to step into the ring with you.

Bershidsky concludes, “Rules of engagement are still useful: Most belligerent parties aim to act honorably and avoid being branded as war criminals. Official cyberwar rules wouldn’t stop attacks, but they would define unacceptable behavior for all concerned.”

I don’t know how much I want to bet my country’s safety on other countries’ desire to “act honorably.” Fear of retaliation always struck me as a more effective deterrent. It appears now, far too late, some Democrats are expressing this philosophy more vocally:

Obama’s former national security adviser, Thomas Donilon, says as much in a new interview for The Global Politico, telling me there’s “no doubt about it” that Obama should have publicly pinned the blame on the Russians much sooner and taken more aggressive steps to retaliate.

Now he tells us.


The Latest