International Regimes and Information Infrastructure
In his address to the Naval Academy's Class of 1998, President Clinton spoke of three problems for which he was launching initiatives: terrorism; biological warfare; and critical infrastructures. However, he mentioned international cooperation only as a solution to the first two problems. This is unfortunate because international cooperation is crucial to any effective infrastructure protection policy. The President's Commission on Critical Infrastructure Protection (PCCIP) found that the most significant threat to U.S. infrastructures is that to Information Infrastructure. Information Infrastructure (II) is the network of computers and the telecommunications devices that link those computers together. Governments and economies, especially those of the US, are beginning to depend on II, a phenomenon which is increasingly international in scope. Unfortunately, II has substantial vulnerabilities. These vulnerabilities constitute an international problem that requires an international solution.
This essay will argue that an international regime is important to II security. The argument will begin by examining the vulnerabilities of II. Then, it will explain why an international regime would help solve the problems of II. Finally, this essay will outline what specific aspects such a regime would require in order to be effective.
The problems of II
Information Infrastructure is vulnerable to attack, and because II is spreading into more nations every year, that vulnerability is a problem for international relations. Any information that was stored on paper can now be stored on a computer, but Information Infrastructure is more vulnerable than file cabinets ever were. Computers do more than store information; they interpret, relay, and react to information. For example, telephone companies use computers to operate their switchboards at thousands of times the speed of human operators. While these computers are more efficient for phone companies, they are only as reliable as their programming: "In June 1991, service for 6.7 million telephone lines in Washington, D.C., was disrupted for several hours. The problem turned out to be a mistake in the telephone switching protocol- a single mistyped character of code"1. Code, written by programmers, tells computers what to do with information. Not only are computers incapable of distinguishing between flawed and flawless code, they also cannot distinguish between malicious code and harmless code. Here lies the potential for abuse; not only can remote users read documents and copy files, but they can also tamper with a computer's basic functions.
Information Infrastructure is vulnerable because it allows remote users to manipulate computers. Modems do for computers what telephones do for people, enabling them to communicate between any two points in the world. The same is true of network connections, except that because they transmit information over non-telephone wires, network connections are much faster than modems. When a modem or network connection links two or more computers, those computers are "networked", and thus constitute part of the II. The problem is that information and programs on net
worked computers can be damaged or tampered with from remote locales. Almost nothing on a networked computer is secure because an unauthorized user can attack the programs designed to secure it. The technology community tries to eradicate these threats through various technical means, such as encryption and firewalls, but these are not always effective. This is partly because the user is such an important yet fallible component of the system. For example, someone who uses two different computer systems might be tempted to use the same password on both. If one system is very secure and the other less so, an intruder need only crack the less secure system and retrieve the user's password to gain access to the more secure system.
Recent trends in technology have pushed the problems of II security into the realm of international relations. The last two decades have been characterized not only by increasing reliance on computers, but also on their worldwide interconnectedness. Table 1 demonstrates the recent surge in computer usage and networking.
Table 1 Global Technology Trends (pt.1)2  |
|||
| What | in 1982 | in 1996 | in 2002 |
| Personal computers | thousands | 400 million | 500 million |
| Local Area Networks | thousands | 1.3 million | 2.5 million |
| WWW devices | none | 32 million | 300 million |
Though none existed in 1982, by 1994 there were seventy-two nations with "full connections" to the Internet, and "with a full connection, you can, given the right passwords, use the computers of any other similar site as if you were there"3. Though US users currently constitute the bulk of Internet traffic, this is changing. In 1995, only 23% of web users were outside the US; by 2000 that share should increase to about 50%4. II will soon affect nations around the world; consequently, so too will its short comings.
The ways in which II is used makes these shortcomings potentially catastrophic. Economies are beginning to rely more heavily on networks. Jeffrey Hunker, Director of the Critical Infrastructure Assurance Office, recently noted that, "over the last five years, . . . 25 or more percent of the economic growth we've seen has come out of information technologies"5. Government and military use of this technology is expanding, giving rise to a new concept in military thinking: Information Warfare. Computers and II are the mainstay of Information Warfare, and one of its primary characteristics is that it depends "on commercial technologies available to most anyone"6. This means that individuals and other non-state actors can threaten entire nations. According to Winn Schwartau, an expert on information warfare, "we have distributed the capability to wage war" 7. Dependence on II has made Information Warfare a practical concept. This much has been acknowledged by the head of the CIA, John Deutsch:
[Deutsch] testified . . . that the US's growing dependence on computer networks had fostered a vulnerability to attacks that could cripple the nation's economic infrastructure. "Both nations and terrorist organizations can, with relative ease, acquire the techniques to penetrate information systems", he said, thereby opening up the possibility for a small hostile group to take on the might of the US on equal terms. 8
For example, in 1995 alone there were as many as 250,000 intrusion attempts against Department of Defense computers 9. Only one of those needs to be successful for the US to have a serious problem.
Implicit in the definition of Information Warfare is that its practitioners and its targets need not be states. Individuals only need a computer, a connection, and some programming expertise to be information warriors. Table 1 demonstrated the increasing availability of computers and connections; Table 2 shows the proliferation of expertise.
The number of viruses -malicious self-replicating code- is an indirect measure of the expertise and maliciousness of programmers. The PCCIP identified Telecommunications Systems Control Software (TSCS) specialists, those "insiders" who make the
| Table 2 Global Technology Trends (pt. 2)10 |
|||
| What | in 1982 | in 1996 | in 2002 |
| Viruses | some | thousands | tens of thousands |
| People with skills for a cyber attack |
thousands | 17 million | 19 million |
| TSCS specialist | few | 1.1 million | 1.3 million |
II work, as the greatest potential threat to II11. Ultimately, it takes a person to attack II, and the crux of the problem for international relations is that almost anyone, almost anywhere, can do so.
Such attacks have already occured. These attacks range from domestic (US) incidents to international assaults. In 1987, a German hacker in the employ of Soviet-bloc agents hacked into several military computers and downloaded sensitive material for at least nine months12. In another case, US hackers tampered with a telephone switching computer, so that all calls to a Florida probation office were routed to a phone-sex operator in New York 13. Recently, German hackers showed how a technology called ActiveX, which allows web pages to upload and run code on users' computers, could be used to transfer money via electronic banking without a PIN or other form of authorization14.
The Datastream Cowboy incident demonstrates the nuances of dealing with international hackers. Over a thirty-one day period beginning March 18, 1994, two hackers, one calling himself the Datastream Cowboy, accomplished 150 intrusions into Rome (N.Y.) Air Force Base's computers. "The hackers gained complete access to 30 systems, downloaded data, and used Rome as a launching platform to penetrate about 100 other systems"15. One of these intrusions, on April 15, was exceptional:
The hackers used the Rome computers to tap and download information from the Korean Atomic Research Institute. At first, the Air Force was fearful that the institute might be in North Korea and an intrusion might be perceived as an act of war. As it turned out, the institute was in South Korea. 16
To avoid phone traces, they routed their activities through South America, Europe, Mexico, and Hawaii. This tactic is called "looping-and-weaving", and is successful because law enforcement agencies have difficulty in obtaining consent from other nations to trace phone calls. Eventually, an informant identified the intruders. The first of the pair to be arrested, the Datastream Cowboy, was a sixteen-year-old English boy, who was using a 486 SX computer in his family's home. Though guilty of federal crimes in the U.S., his punishment was a fine of L1,450 because the United Kingdom has reserved the right to prosecute crimes committed from computers in the UK, regardless of where the victim system is located. Thus, the question of jurisdiction meant leniency for the boy. The other defendant is still awaiting trial.
These incidents will not be the high water marks of attacks on II. The early nineties were the end of hacking's Golden Age, "the End of the Amateurs"17. Now the stakes are higher because more people, businesses, and governments depend on computers. As dependence and complexity increase, so does vulnerability, in that more complex systems are more likely to fail and that those failures will be more severe. As problems become international, so must solutions. The world must look to an international regime as the key to dealing with threats to Information Infrastructure.
Why an international regime?
Dealing with threats to II requires international cooperation. International regimes facilitate cooperation among states. The accepted definition for international regimes is "sets of implicit or explicit principles, norms, rules, and decision making procedures around which actors' expectations converge in a given area of international relations"18. Most explanations of regimes begin with the assumption that states are rational, egoist actors. In other words, each state can and will pursue its own interests. This does not completely exclude the possibility of cooperation, because states might conceivably have common interests. However, the international system is also assumed to be uncertain, with states not sure how other states will behave. This uncertainty often prevents cooperation, because states cannot be sure that their security is not being compromised. States create regimes because they have common interests, but cannot coordinate those interests due to a lack of communication and trust19. International regimes facilitate better communication and constrain states to strategies that are not detrimental to other states which share their interests 20. So through regimes, states structure the international arena and make cooperation practical. The problem for II security is that these principles, rules, and procedures are either nonexistent or insufficient. There is still a great deal of uncertainty among nations as to how to deal with II, and a regime will help II security by reducing that uncertainty and structuring international cooperation.
An international regime could solve the problems of international II security by coordinating policies and facilitating the exchange of information among concerned nations; that is, the regime would allow nations cooperate to protect II. By constraining states to a set of acceptable behaviors, the regime will reduce uncertainty. Policy coordination will enable victim nations to defend against, investigate, prosecute, and possibly deter threats to II.
First, an international regime will enable nations to better defend their IIs. Technological solutions to II vulnerability exist, but they quickly become obsolete as computers become more powerful and criminals become more clever. Nations who are still developing their II, however, may not have the resources to develop or employ similar solutions independently. An international regime would facilitate the exchange of such information and technology. Nations who are interconnected would find it in their own interest to help protect the II of nations becoming connected. By sharing information on building and protecting II, advanced nations can help ensure that their citizens will be able to use foreign II safely, and that their II will not be threatened by poorly maintained technology. Second, investigating attacks on II will be easier through an international regime. How do you control criminals in a region without borders? One answer is cooperation, because the "mobility of large numbers of people . . . requires that policing is closely coordinated"21, i.e. through a regime. The nature of II allows "virtual" mobility in that crimes can be committed without the physical presence of a criminal at the scene. Policing must be coordinated to adequately deal with that aspect. In fact, the large number of agencies and organizations pertinent to II security demands an even more structured regime. Through policy coordination, an international regime would make investigation easier for all nations concerned. Participating nations would create contigency plans so that when an attack occurred, their response could be swift, effective, and coordinated.
Third, an international regime would allow for consistent prosecution of II. Coordination of laws would let nations expect that violators would be punished appropriately, even if those nations could not administer the punishment themselves. Even if one nation refuses to extradite its citizens, having a standard legal code throughout the regime would mean that the attacked nation could expect an appropriate response to the intrusion. This is the exact opposite of what happened in the Datastream Cowboy incident 22. The alternatives to legal response are potentially dangerous. Because the US knows that attacks from abroad cannot be dealt with through legal channels, it has developed extra-legal responses to such attacks. The Air Force, for example, can electronically counter-attack a hacker's computer and destroy it 23. Unfortunately, such a method can also be used as an offensive weapon. If nations began developing these weapons, the result could be an electronic arms race. Other nations could never be sure if the intent of the technology was defensive or offensive. Such a situtation would create tremendous uncertainty and fear in the international system. By making certain that the same act receives the same punishment anywhere, the II regime would reduce the need for extra-legal responses to II attacks.
Fourth, an international regime could deter potential II attackers, because the stakes would be too high. Violation would no longer be inconsequential, but a serious crime met with a capable international response. Without a regime, the world can expect that threats to II will grow. Right now, the benefits of such actions far outweigh the costs, as hackers historically receive light punishments for their crimes. Because deterrence is an important function of penal law, an effective punishment system will scare hackers away, making them less likely to attempt such attacks.
Nations use regimes to deal with many problems in the international system. One notable example is the non-proliferation regime. The central problem facing this regime is the fact that nuclear technologies with peaceful applications also have applications for weapons production. The regime has created several solutions to this dual-use dilemma. Nations who produce nuclear technology and materials for export have agreed or have been compelled to agree that they will be selective in what and to whom they will export 24. With a few exceptions, nations who possess nuclear arsenals have agreed to not assist other nations in developing their arsenals, and nations who do not have arsenals have agreed to refrain from pursuing such arsenals 25. In return, states with nuclear arsenals have promised to assist these nations in the development of their peaceful nuclear power systems 26. Though many nations possess nuclear technology and expertise, the fact that only eight nations possess nuclear weapons is evidence of this regime's efficacy. This international regime is one of those that involves strict enforcement. Important issues coupled with obvious violations lend themselves to enforceable regimes.
The similarities between nuclear proliferation and II suggest that a similar regime might be also effective for II. Both problems deal with an international security threat, and both have a dual-use aspect. However, there are significant differences between the two. For example, nuclear proliferation has obvious violations; a nuclear detonation can be detected instantly. II has no such assurances, an II attack might not be detected at all. Furthermore, every computer ever made has the potential for dual-use, where II is concerned. Nuclear reactors can be designed so that they are not useful in production of weapons, but any computer that functions properly is potentially a weapon. Only states have detonated nuclear weapons, so that the threat is from nations and not individuals, whereas anybody can launch an II attack. These differences do not mean that a regime will not work for infrastructure protection, but rather that the regime needs to take into account the nature of II to be succesful.
What an II regime needs to be succesful
What constitutes a succesful regime has not been fully addressed in the literature. A simple definition of success would be that the regime is succesful if the benefits outweigh the costs. This definition is problematic because it assumes that costs and benefits will always be explicit and quantifiable. It further suggests that a nation will not become involved in a regime if it appears too costly. However, nations wishing to cooperate can usually apportion their involvement in a given regime based on the expected costs and benefits. France did this with NATO, subscribing to the general organization but not to the specific military structure. Therefore, the possibility of different levels of involvement for different nations is one characteristic of a succesful regime. A spectrum of involvement would contribute to success by allowing nations to become
more active as the benefits of protection increase, and would give them more flexibility in their cost-benefit analyses. The literature on regimes has identified two other factors that contribute to regime success, namely hegemonic stability and multilateralism.
The presence of a hegemon enhances the strength of a regime. Strength is the "stringency with which rules regulate the behavior of countries"27. Hegemonic stability theory says that "regimes will be strong when there is a unipolarity in the distribution of capabilities in a system"28. Implicit in this is that the regime is imposed and that the hegemon uses it as a tool of power. Also implicit is that the regime depends on the hegemon for strength. As the most technologically advanced, based on II development and usage, the U.S. would be the II hegemon. From that basis of hegemonic stability theory, an international regime led by the U.S. would be strong,
The United States, as one of the first nations to recognize this threat and the most dependent on II should initiate the internationl II regime. This would complement the efforts on the national level that the President's Commission on Critical Infrastructure Protection has recommended. The PCCCIP wrote that, "the federal government should serve as a national model for sound information assurance practices"29. If the U.S. government does so, it will also be an international model for such practices because no other nation depends so much on II. From that role as international model, the United States is in a unique position to lead other nations towards collective security.
While the U.S. would initially be the core of the II regime, the regime would become more multilateral as it matured. Keohane writes that "when regimes already exist, they can be maintained even after the original conditions for their creation have disappeared"30. Because regimes adapt to the environment in which they operate, they change with the decline of the hegemon to meet the members' needs. Thus, a regime that drew strength from the U.S. would eventually rely less on the U.S. and become more multilateral as the U.S.'s power declined.
Egalitarianism can also contribute to an international regime's longevity. A hegemonic and egalitarian regime might sound like a paradox, but it simply means that the hegemon does not use the regime unfairly while still providing leadership. To that end, Puchala and Hopkins write that "'fairer' regimes are likely to last longer"31. Included in the idea of fairness is voluntary participation. Regimes that use enforcement and coercion are less successful, because "usually it is self-interest, broadly perceived, that motivates compliance"32. Most nations will view a less fair regime as more costly, because it does not take their interests into account. A negotiated regime acknowledges the needs of all nations involved, resulting in the least costly solution.
There are several requirements for an international II regime that are unique to this problem. First, the regime should define the problem, so that an II attack in one nation is considered an II attack elsewhere. Second, the regime should facilitate extradition of II attackers, depriving any nation of what could be a military asset. Third, the regime must be multilateral, encompassing all nations connected to international II. Fourth, the regime should be inclusive of all governments, organizations, and corporations concerned with II protection. Fifth, a succesful regime should facilitate information exchange, so that members will know how to detect and respond to attack. Sixth, it should establish inviolability for II to prevent nations from using it as a weapon. Finally, the regime should promote connectivity, so that an attack on one nation's II will be felt elsewhere, compelling an international response.
The OECD's Guidlines for the Security of Information Systems represent the first step towards an international regime dedicated to the protection of II. The Guidelines use slightly different terminology; information systems has a very broad definition, but it is essentially the same as II. The Guidelines are based on nine principles, from which the OECD recommends that states "establish measures, practices, and procedures"33. Those principles are outlind in Table 3.
These principles, together with more specific recommendations for implementation, constitute the beginnings of a regime of international II security. There are a several things this set of guidelines does well. First, it recognizes the global aspect of the problem and the need for cooperation. Second, it embraces the non-technical solutions to the problem. Third, it implies a right to privacy that is essential to II. These are some of the most over-looked issues in securing II, and the fact that the OECD has recognized and made an effort to deal with them is heartening.
There are, however, two significant flaws in this plan. First, the recommendations say nothing about state-sponsored attacks; these will be prohibited in any significant regime. Again, the NPT and other regimes would be worthless if they did not place constraints on states. Second, the recommendations are too vague. In addition to existing norms, the regime must also set concrete rules regarding II. The vague presciptions in Guidelines echo of Susan Strange's "symbolic regimes"35, that allow states to pursue interests as they would without constraints.
| Table 3 Table 3 OECD's Prinicples for Information Systems' Security34 |
|
| Principle | Summary |
| Accountability | owners and users responsibilities should be explicit in regards to security |
| Awareness | owners and users should be aware of the levels and limits of security in their infor mation systems |
| Ethics | the use of information systems should not infringe upon others rights |
| Multidisciplinary | all aspects of the problem, including legal and technical, should be addressed |
| Proportionality | security should be appropriate to the potential for harm for a given information system |
| Integration | security should be coordinated |
| Timeliness | nations should begin work on security sooner rather than later |
| Reassessment | the Guidlines should be reviewed every five years |
| Democracy | security must not infringe on legitimate use of information systems |
A succesful regime will deal with the specifics of II control, because the problems of II security will not be solved piecemeal.
Conclusions
The future security of II would benefit from an international regime, to facilitate cooperation and coordination among nations. The world's dependence on II is increasing daily, and as that dependence increases so grows and spreads the threat to II. Domestic policies and technology alone are not enough to deal with the globalization of this threat. To be fully secure, II requires an international regime to facilitate international cooperation. Given the trends and necessity of II security, regime formation seems inevitable. Whether this regime will form in the near future and whether it will be succesful are not as predetermined. In regards to II protection at the national level, the PCCIP's "fundamental conclusion" was that "waiting for disaster is a dangerous strategy. Now is the time to act to protect our future"36. This is true for international policy, too; the promise and potential of information infrastructure must be protected sooner rather than later.
1Correll, John T. "War in Cyberspace". Air Force Magazine, vol. 81, n. 1 (Jan 1998); p.35
2PCCIP (the President's Commission on Critical Infrastructure Protection). Critical Foundations; Protecting America's Infrastructures. 1997; p.9
3Holderness, Mike. "Welcome to the Global Village". Geographical Magazine v66, n5 (May, 1994). p 16; found on Melvyl
4Hickman, Angela. "It's a wired world". PC Magazine, v16, n20 (Nov 18, 1997). p 29; found on Melvyl
5Office of the Press Secretary, White House. Press briefing by Richard Clarke, National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism; and Jeffrey Hunker, Director of the Critical Infrastructure Assurance Office. May 22, 1998; p.1
6Thrasher, Robert D. "Information Warfare: Implications for Forging the Tools (U)". Naval Postgraduate School, Monterey, CA.. found at info.war.com/Class_3; p.8
7Schwartau, in Thrasher; p.14 note: this paper was the report of a Delphi study involving several IW experts; hence Schwartau is quoted although Thrasher wrote the paper.
8Carlin, John. "US fears 'Electronic Pearl Harbor'". Independent, Sunday 9/2/97; found at info.war.com/Class_3;
9Wolf, Jim. "Flaw Imperils Security". New York Times 2-8-98. found at info.war.com/Class_3/
10PCCIP (the President's Commission on Critical Infrastructure Protection). Critical Foundations; Protecting America's Infrastructures. 1997; p.9
11ibid p.15
12Stoll, Clifford. The Cuckoo's Egg. Bantam; NY; 1989; p.1-326
13Sterling, Bruce. The Hacker Crackdown; Law and Disorder on the Electronic Frontier. Bantam; NY; 1992. p.98
14Gilles, John. "Hackers shuffle cash with Quicken, ActiveX". found at www.wired.com/news/technology/story/1943.html
15Correll, John T. "War in Cyberspace". Air Force Magazine, vol. 81, n. 1 (Jan 1998); p. 36
16ibid p.36
17Sterling, Bruce. The Hacker Crackdown; Law and Disorder on the Electronic Frontier. Bantam; NY; 1992; p.313
18Krasner, Stephen D. Structural causes and regime consequences; regimes as intervening variables. in Krasner, Stephen D. (ed.), International Regimes (pp. 1-22). Cornell U.; Ithaca, NY; 1983; p.2
19Keohane, Robert O. After Hegemony. Princeton U; Princeton, NJ; 1984; p.63
20ibid p.63, 97
21Hebenton, Bill and Terry Thomas. Policing Europe. St. Martin's Press, NY; 1995; p.49
22Correll, John T. "War in Cyberspace". Air Force Magazine, vol. 81, n. 1 (Jan 1998); p.35
23 ibid p.35
24Yager, Joseph A. International Cooperation in Nuclear Energy. Brookings; Washington, DC; 1981; p.28
25ibid p.28
26ibid p.28
27 Aggarwal, Vinod. Liberal Protectionism. U. of Cal Press; Berkeley, CA; 1985; p.20
28 ibid p.186
29PCCIP (the President's Commission on Critical Infrastructure Protection). Critical Foundations; Protecting America's Infrastructures. 1997; p. A-10
30Keohane, Robert O. After Hegemony. Princeton U; Princeton, NJ; 1984; p.215