by Ed Stacey
On 22 April 2020, Ed Stacey sat down with Marcus Willett to discuss his recent article for the International Institute for Strategic Studies (IISS). Marcus’ analysis draws parallels between the current coronavirus crisis and global cybersecurity challenges and warns against the Balkanisation of either response. In this exclusive interview, he expands on his thinking.
For more information on the IISS and the latest analysis of international security, strategy, and defence issues, visit them here or follow them on Facebook, Twitter (@IISS_org), and Instagram (@iissorg).
ES: In your article, you explore the idea of a global cyber ‘pandemic’ – what do you mean by this?
Marcus Willett: What the article tries to show is that we like to take a lot of language in the world of cybersecurity from the world of dealing with medical crises – like the horrible one we are currently facing. For example, terms like virus and infection. However, what we have not started doing is using words like endemic and pandemic. The article was merely trying to go that extra step and consider the applicability of these words to what is happening in cyberspace. If you just look at cyber-criminality, for instance, techniques that were developed by people in the most advanced and connected nations have now spread, and are being used, all over the globe, by individuals, hacktivist groups, criminals and, of course, states.
Sitting here at the moment, if a cybercriminal was to try and defraud us, that criminal is as likely to be in Eastern Europe, or Nigeria, or Vietnam, as anywhere else. So what I was trying to show is that the use of cyber has spread globally and that you can get infected – through your network or your device – from anywhere around the globe. ‘Pandemic’ feels like quite a good word to describe that phenomenon, particularly since we are all using it at the moment.
ES: Is there a cure for the cyber pandemic?
Marcus Willett: I do not think there is a silver bullet-like vaccine; a cure is more about how nations might approach the problem. The trouble with people who have worked in my sort of background is the thinking that there is always, waiting for you, some technical silver-bullet – a wonderful technical solution that will solve the world’s problems when it comes to cyber. I do not think that is right.
If you think about offensive cyber, for example, the incentives are not great for states to talk about their most sensitive capabilities. This is because the most advanced states still think they have got such an advantage in terms of cyber that it does not make sense to reveal what they have developed to the world. But I believe states need to start a dialogue about the risks involved in some of these cyber capabilities, building on stuff that is already being done around developing norms of behaviour, to think about how we might better manage them.
So, I think a cure is more in the territory of better understanding the risks and better managing those risks than pursuing technical solutions. And the only way we are going to get to that is to recreate the sort of cooperation we see with the response to the current health pandemic. Additionally, I think that the best way of having those sorts of conversations is not to start at the most difficult end, which is, say, to try and work out some big deterrence theory and proliferation control treaty around offensive cyber capabilities. Because that is going to get silence from some of the big actors from the very beginning.
Instead, it is better to pick an area like cybercrime, where all states have a vested interest in trying to combat the defrauding of their economies and use that as a way to start the dialogue between states about how we can better manage these risks. Always, however, with the goal of an internationally agreed regime over what is a responsible use of cyber capabilities. The same way we have ended up with the understanding that it is generally unacceptable that people use barrel bombs and cluster bombs – that a guided missile is more acceptable.
ES: Is the United Nations (UN) the best space for this dialogue to take place?
Marcus Willett: Whilst it needs to be under the auspices of the UN, I cannot help but feel there is a certain group of nations that need to start the conversation. I would love to see, particularly, the Americans and the Chinese talking about cybercrime. That would start a dialogue that might help bring some of the conversations they are having around technologies – take Huawei, for example – into a better place – and where they need to be. If we carry on with this sort of competitive conversation around the future of cyberspace, I think we will end up with results that are not very good for likeminded nations like ourselves and our allies.
ES: Russia has been quite active at the UN on cybercrime. Do you see their recent proposal as a viable alternative to the Budapest Convention?
Marcus Willett: One of the reasons I suggested the US and the Chinese are to draw that distinction with the Russians, who are quite fond of coming to the UN with grand proposals that are, frankly, a little bit transparent. I did a conference in Berlin last year on a panel around cyber and question number one from the audience came from the Russian cyber representative to the UN Group of Governmental Experts (GGE). She laid out, not a question, but a statement about how the Russians were the good guys around cyber, claiming that they had been arguing for all sorts of things – like the cybercrime treaty you just mentioned – and for the outlawing of any military use of cyber capabilities. This was just after the Skripal incident and when that GRU unit was exposed at the Hague. So you can imagine how the Dutchman to my right reacted; it was an ‘actions speak louder than words’ situation.
A more realistic conversation with the Russians, since a lot of cyber-criminality emanates from bits of their territory, would be around legal jurisdictions and Mutual Legal Assistance in Criminal Matters (MLAC) arrangements – to try and get their assistance in pursuing some of this criminal activity. As you know, they are very unlikely to agree to that. And these are difficult conversations because they are likely to end up in accusation and counter-accusation.
I like the idea of the Americans and the Chinese talking about it; both with a vested interest, both without the past of being connected to cybercriminal gangs. That has got a higher chance of success. Yes, the Russians need to be brought into those sorts of conversations, but I would not start there because, again, it feels like too difficult territory. Cybercrime between the US and China: easier territory. Cybercrime with Russia: very difficult territory. Offensive cyber and military capabilities: very difficult with everybody. It is about trying to find those baby steps.
ES: Is cooperation between the US and China on cybercrime possible in the current context of the ‘tech war’?
Marcus Willett: What I am trying to argue is that there is more potential for a conversation around cybercrime than there is for a conversation on anything else, given the context of the tech war. It would be the best way of starting a dialogue because it is a rare area of mutual interest. Of course, you would have to start the conversation with a very clear definition of what you meant by a ‘cybercriminal’. But there are millions being defrauded from the Chinese economy by cybercrime, just as there is from the US economy; they are both targets of cybercriminals. So, you have got a better chance of starting a conversation there than anywhere else.
Does that feel overly idealistic given what is going on? I would have thought there was a chance if you just had the tech war or even just the trade war. However, if this escalates into finger-pointing around COVID-19 and an inquiry turns into making China some sort of a pariah state, it would be less likely. And you can see already how some of the stuff coming out of the White House is only going to antagonise the US’ relationship with China even more. So, no – perhaps the prospects are not as good as they were a few months back, but it is about more than just the tech war.
ES: Why do states such as Russia and North Korea use cyber organised criminal groups (OCGs) – either by shielding or cooperating with, and perhaps even masquerading as, them – to augment their cyber capability?
Marcus Willett: Something you said earlier resonated with me. When you alluded to the issue of defining cyber-criminality and the Russians perhaps having a slightly different idea. I remember the same sort of trouble around early attempts to talk with the Chinese about counterterrorism. You had to be very careful to define what you meant by terrorism for them not to think that that was an excuse to go after Uighurs in their own country. For the Russians, unless you are very careful about defining cyber-criminality, for them, people that we might call cybercriminals are patriotic hackers – an extension of the Russian state. That definitional point is a problem.
Another thing to note is the sophistication of some of the capabilities that have been developed by the organised criminal fraternity. In a good, realpolitik way, a state like Russia can see an advantage in these sorts of capabilities being developed by people sitting on its own soil. As you know, beyond cyber, plenty of corruption goes on between criminal gangs and the Russian state – and has done for centuries.
I lived in Moscow in 1983-84 as a student, during the height of the Cold War. And even though you could not read about it in the press, every Russian you spoke to knew that all sorts of arrangements were going on between the Soviet government and people they called mafia bosses – the mafia boss in Leningrad, as it was then, or the mafia boss in Moscow. There was the official world and then there was what really happened. So, I cannot help feeling – as so often in cyber – what you see being played out in cyberspace is actually a reflection of what has been going on for a long time in the real world. Sorry to use this phrase and be the first one to use it, but cyber is just a new domain for old age stuff. It is an accident of history and culture, going back through Tsarist times, that some slightly shady stuff goes on between the Russian state and parts of its population. Why should we be surprised to see that being playing out in cyberspace?
In terms of the other point you are making, which is that some states pick up a modus operandi that makes them look like cyber OCGs – and I think you are mainly referring to North Korea there. Well, I wonder if that is out of choice or whether it is simply the case that the level of sophistication that they are able to attain is that of a cybercriminal group.
North Korea is a very interesting example. Everybody knows that they were behind WannaCry and the hack on Sony Pictures, and that they have been trying to defraud the global banking system – Swift and so on. I put it to you that North Korea is not able to do much more than that given its own massive vulnerabilities. For example, the number of connections that come out of North Korea to the global internet is extremely few, and so, for that reason, it often deploys its operatives overseas. It would certainly need to do that if it got involved in any sort of conflict, as it would have no chance of running offensive cyber operations from within its own territory if it was up against a capable cyber actor.
In other words, North Korea has had to develop these more distributed, low-level capabilities. I do not think they are deliberately trying to make themselves look like cybercriminals, it is just that is the sort of capability they know they can use and have access to.
Countries like North Korea and Iran have learnt from what other countries have done in cyberspace, which is perhaps not the lesson that was intended; it certainly was not the lesson intended for Iran around Stuxnet. They saw this activity and thought: ‘Oh, that is interesting. What could we do in cyberspace? And would that give us a reach beyond our own region that we have no chance of achieving with any of our other capabilities? Does it give us a reach even into the great Satan – the US?’. And low and behold, it does. Their attacks are not going to be of the level of sophistication that can bring down the US’ Critical National Infrastructure (CNI), but they can have strategic effect. Whether that is propaganda effect or just being an annoyance, it nevertheless can be used to say to their citizens: ‘Look, we can do harm to the US’.
It is the famous point about cyber, that what can look like unsophisticated capabilities can proliferate and be picked up easily by states, from groups like cybercriminals, and then utilised to have a strategic effect in the mainland of a superpower, in a way that they previously could not. So, North Korea, and I would add Iran, are very interesting studies in some of the risks associated with the proliferation of cyber capabilities.
Sitting in the back of our minds, always – and this is the other thing big, cyber-capable states need to talk about – is the proliferation of some of those more destructive capabilities to terrorist organisations, and what that could mean. Everybody always assesses international terrorist groups when they look at threat actors in cyberspace. And the answer for years has been: ‘They know about the potential; they are interested and looking for it, but they do not have it’. And so, every assessment ends with: ‘So there is no need to worry about them at the moment’. Well, that picture could change. If ever terrorists work out a means of delivering the same sorts of physical destruction that they can through the use of a bomb, with cyber means, that is a bad day for everybody.
ES: How real is the threat of a catastrophic cyber event?
Marcus Willett: Having talked about cyber-criminality, terrorism, and states realising the asymmetric advantages they can gain through cyber capabilities, nevertheless, these are not where I see the greatest risk of a cyber catastrophe. The greatest risk of a cyber catastrophe, in my mind, is what is happening every second of every day, with the reconnaissance and prepositioning by states against their potential adversaries’ CNI – infrastructure like power, transport, communications – the bringing down of which would have catastrophic humanitarian consequences, as well as technical dimensions. And, while I am sure no state short of a conflict situation would intend to do that, my worry is that – as has already been proven in WannaCry and NotPetya – states, in trying to either reconnoitre a network or preposition for a conflict scenario, may accidentally make a mistake.
Prepositioning is necessary because, to have an effect in a conflict situation, you cannot go from a standing start: you either have that presence in the network or you have not. In other words, you need to establish a presence in the network in peacetime to be able to have that capability should a conflict occur. So, states are not only doing reconnaissance, they are doing pre-positioning. And the chances of something going horribly wrong, I would say, are fairly high.
What worries me most about that is, even just the detection of that sort of activity – what some may define as a cyber attack – could cause escalation. And how states try and deescalate in a cyber catastrophe is still something we have not properly thought through. How a prime minister or a president would be brought into the discussions around such a technical subject, that had spilled out into real-world loss of life and escalation, in a way that could deescalate the situation, is an issue at the heart of where we need to get to around international conversations, under the auspices of the UN, for cyber.
My argument is that, although this is the biggest risk, you cannot start with this conversation amongst states. But you have to start the conversation somewhere, so have it about cyber-criminality. Do not be deceived, however, in forgetting that the biggest risk is the one I have just been through: a mistake by a state in cyberspace that is interpreted as a potential act of war. That is the biggest risk in cyberspace.
How likely is that sort of catastrophe? The sad thing is that we do not really know, except to say that it is probably more likely than we should be comfortable with. The problem is we still do not properly understand what is happening in cyberspace. But there is lots of reconnaissance and prepositioning going on, all the time, by states, against each other’s CNI. Do not be deceived as to what is reported in the press about there having been 200 cyber attacks in the last ten years, or whatever the figure is. It all depends on what you mean by a cyber attack.
ES: Your comment on translating technical information to world leaders really resonates with President Trump in the White House. With a lack of precedent for escalation in cyberspace, there is no knowing if and how he might act.
Marcus Willett: Unfortunately, if you are an official in the US administration at the moment, you know you dare not mention the word cyber to President Trump. Because – and this is a massive generalisation – to him, all he can equate cyber with is: ‘The hacking into of our electoral processes and people saying that cyber is the reason I got elected’. Whilst he has made statements about the use of cyber in the past, I know from private conversations with ex-colleagues who are in those positions, that cyber is a subject you have to handle very carefully. Otherwise, you press the wrong button with the President, and it ends up not being a conversation, but the receipt of an earful. So, it is a huge challenge.
ES: And finally, in the context of the coronavirus crisis – and discussions around sovereign capability, national tech companies, supply chains, and so on – is the Balkanisation of the internet preventable?
Marcus Willett: This is a very interesting question. Balkanisation, or even bifurcation of the internet, which is the other phrase that is thrown around, is the concept of two internets. One model is what we have at the moment: multi-stakeholder governance, free, with a balance between states, NGOs, the private sector and techy-coders; and then how that internet is developed and run, with a balance between the rights of individual citizens, the private sector and governments. And the second model, which is being pushed by the Chinese and the Russians, which entails greater state control over sovereign cyberspace. This can sound like just a technical issue, but the implications for how the global economy works, for example, are massive.
Why would states not want more control over the threats to them and their own sovereign bit of cyberspace? Well, the net result may be, instead of having a conversation about how you can achieve control with a single internet and a single global economy, you end up with two separate versions, then three, or four, and so on. And do not forget what the word Balkanisation means: it is the disintegration into individual components that compete, or even conflict. And if there were two separate internets, one Chinese and one US, broadly speaking (although there is talk of a RU.net and the Iranians have invested quite a lot of money into trying to develop their own intranet) the current risks around cyber that I described earlier, between states, become even greater.
Imagine if you had no vested interest in that other internet: it is not connected to your economy; none of your CNI is dependent upon it. What would the incentive then be for states to restrain themselves around their use of cyber capabilities?
That is my worry about Balkanisation and why I fear a tech war, to which the only solution is to ban bits of tech from your own networks, ends up being self-defeating. Not only immediately, as you can see with all the US tech providers, for example, going to the White House saying: ‘Do you not realise what that does to our own economy and our ability to export into those markets?’. That is almost putting an Iron Curtain down that virtual world of the internet. And if you think about how dependent we are all becoming – with the Internet of Things, smart cities, and smart homes, and so on – that virtual curtain could only be followed by a real-world equivalent. I think it is incredibly short-cited, and it can only lead to increased risk geostrategically.
Having said all that, if you are sitting here in a place like the UK you speak with two different voices. You certainly support the idea of a single, multi-stakeholder, free internet. But Ministers also worry about the UK’s ability to deal with terrorists and cybercriminals in its own bit of cyberspace because of issues such as the spread of ubiquitous encryption by big US tech companies. So, the UK also has a sovereign problem around understanding some of the biggest threats in cyberspace. It is a difficult question to answer, which becomes especially challenging for a middle-ranking country like the UK: one that instinctively does not want to see Balkanisation and cyber sovereignty, but also wants a bit more sovereign ability for national security reasons, over its little bit of cyberspace. It is a fascinating subject that is, I think, just going to roll. But I do not like the idea of banning tech from your own network; it is unrealistic and just not the way to go.
In some ways, the US has hit the strategic thing that is going on: a global competition about how the internet in the future will be developed, between itself and China – its main rival in this space. That is the big strategic point. And though the UK may not have woken up to that issue, the US tactic feels wrong. The UK tactic, ironically, perhaps not having recognised the strategic issue, feels better. And for those who love their deterrence theory, this is the idea of deterrence through entanglement – which everybody debates whether it really works or not. The notion that a potential adversary entangled with the global economy and in global cyberspace, is far easier to deter from bringing down that economy and that cyberspace than it would otherwise be.
And one more thing: look at this from China’s perspective. China is desperately dependent on eight US companies for how it runs its own networks. You could list them: Microsoft, Qualcomm, IBM, Intel, Cisco, and so on. They call them the eight guardian warriors. Yes, China does talk about having its own internet and ‘the Great Firewall’, and all that sort of stuff. But interestingly, two of those eight companies – Microsoft and Cisco, I believe – sit on China’s cybersecurity internal standards-setting body. IBM and the Bank of China develop technology supporting trillions of dollars of financial transactions around the globe. The People’s Liberation Army (PLA) uses Microsoft. I mean, that is just how it is – they are thoroughly entwined. Why would you try and persuade the Chinese that the better solution is for them to start developing everything indigenously; to not use anything American and wipe out half of the world’s population from your markets? I mean, why would you do that?
Ed Stacey is a BA International Relations student at King’s College London and a Student Ambassador for the International Institute for Strategic Studies (IISS). The #IISStudent Ambassador programme connects students interested in global security, political risk and military conflict with the Institute’s work and researchers.
Marcus Willett CB OBE is a Senior Adviser at the IISS. He helps to develop and deliver a programme at the IISS that researches the use of cyber and related technologies as levers of national power, including their role in future conflict. His initial focus is on developing a methodology for measuring cyber power to assist national-level decision-making.
Ed Stacey is an MA Intelligence and International Security student at King’s College London. His research interests revolve around technology and global security, particularly cyber security and emerging technologies, and counterterrorism. He has a BA in International Relations from King’s College London.