Alexander Klimburg on "The Darkening Web: The War for Cyberspace"

JOANNE MYERS: Hello, and welcome to this podcast, which is coming to you from the Carnegie Council in New York City. I'm Joanne Myers, director of Public Affairs Programs here at the Council.

Today I will be speaking with Alex Klimburg, author of The Darkening Web: The War for Cyberspace. In it he explains the consequences of states' ambitions to project power in cyberspace and why we underestimate these initiatives at our peril.

Alex is a program director at the Hague Centre for Strategic Studies (HCSS), a non-resident senior fellow at the Atlantic Council, and an associate and former fellow at Belfer Center at the Harvard Kennedy School. He has acted as an advisor to a number of governments and international organizations on cybersecurity strategy and Internet governance.

We are delighted to have the opportunity to talk to you about the pressing issues of cybersecurity, information security, and Internet governance. Thank you for joining us.

ALEXANDER KLIMBURG: Thanks for having me.

JOANNE MYERS: In The Darkening Web, you write that "at the beginning the Internet was seen as a utopian ideal, a promise of a harmonious world connected through shared information, but two decades later the future isn't as bright." Briefly—I know a lot has happened, but what cyberthreats concern you the most?

ALEXANDER KLIMBURG: In the West we're used to seeing cyberthreats as being primarily a technical issue, and the worst possible outcome is cyberwar or cybergeddon. In any case, it destroys critical infrastructure with the lights going out. That is a real threat and one that we should take seriously. But there is also another threat: In Russia and China cyber is viewed as being more of a psychological issue and more about information, and the worst possible outcome is information warfare, and in their personal cases, the downfall of their regimes and their governments. So they are more concerned with cyber as an information warfare tool, while in the West we see cyber more as a technical issue.

In that context, when we get these two narratives confused with each other, then we run the risk of missing key strategies of the adversary to push the Internet in a direction that, in my mind, it should not go to.

JOANNE MYERS: Do you think we underestimate the threats and the consequences of the states' ambitions to project power in cyberspace?

ALEXANDER KLIMBURG: Yes, I think we do, and I think we do so on many different levels. First of all, when approaching it from the pure technical side, the way the West traditionally sees cyberspace and cyberoperations, I think we have long avoided the fact that being active in this space will encourage other actors to be active in this space, and so we can therefore contribute to something approaching an arms race in cyber.

Second of all, there are some parts of cyberspace or cyberoperations that are very easy to confuse with each other. For instance, it's very difficult to distinguish between pure cyberespionage operations and actual preparations for an imminent attack. They are basically the same thing. So from a defender's point of view, it's very easy to think when you see somebody spying or sitting on your system that that person is about to pull the plug on you, even if that person is just reading your emails. And that makes it quite dangerous, because that might force me, as a defender, to take rather drastic actions.

Third, the problem is that I think we fundamentally misunderstand how some actors—particularly Russia and China—see cyberoperations. They really sometimes have different goals in stealing our data or destroying our data. They want to form political opinion. And when we see cyberattacks through that lens, then the recent spate of cyberattacks also looks a little bit different. It looks more like the objective is to push us and our narrative in a specific direction rather than simply trying to get a toehold for future cyberoperations or even just to steal data.

JOANNE MYERS: The cyberpolicies of China and Russia differ from those of the United States. How do they define information security?

ALEXANDER KLIMBURG: Information "security" is the key word. It was defined many decades ago within a communist context in the Soviet Union, and it helped inform, for instance, the information security doctrine of the Russian Federation, which effectively included two definitions of cyberattack: one was a technical definition, and the other was a psychological definition.

The psychological definition was more important than the technical definition. The psychological definition also included such things that would "undermine the spiritual renewal of Russia." Any comments that would therefore undermine this spiritual renewal of Russia or would detract from the Kremlin or make Putin look bad is a cyberattack in their view.

Of course, this doesn't really work in the West. We see it as primarily a technical issue. But in Russia and China they see it really in terms of propaganda, information control, and influencing their domestic affairs. This is why it is very important to understand how they see cyberspace because they have now brought their interpretation to us with information warfare activities in recent years.

JOANNE MYERS: So they're using it more as a weapon than as an informational tool for the global good?

ALEXANDER KLIMBURG: Absolutely. Their intent is partially to simply put forward the weaponization of information per se. They want to be able to have a conversation that says: "Well, we think The New York Times is saying very bad things about us. We want to shut that down"; or "We don't think The New York Times should be allowed to provide Chinese language translations that only our dissidents will read. We want you to shut that down." That is the kind of discussion they really want to have, and that is the kind of discussion we can't possibly want to have.

Therefore, we have to be very careful when we talk about government fixes and doing something in cyberspace that we don't advance the narrative of Russia and China, and that narrative is effectively to turn the Internet as it is currently, which is simply a neutral playground for mostly positive things, into a security domain where security concerns of states are paramount. If we go down that road, and there will be little room for free speech.

JOANNE MYERS: The word "cybersecurity" itself can take on many different meanings. How do you define it?

ALEXANDER KLIMBURG: Cybersecurity overall has been defined as including not only technical issues, but also any type of activity that is conducted through cyberspace and which effectively needs to be secured from disruption or threats. So, cybersecurity is always related to, in my mind, three important criteria—the confidentiality of data, the integrity of data, and the availability of data.

I don't consider the use of that data, for instance, the hostile use of information, to be a matter for cybersecurity. Therefore, I don't consider, for instance, information warfare to be part of cybersecurity.

I consider cybersecurity to actually be something I rather would call "data security," looking particularly at data as an object and talking about the proprieties of that object to make it work as it's supposed to work. That is not compatible with definitions of information warfare, but that is also the intent. I think it is incredibly important that we don't have cybersecurity and information warfare narratives overlap.

When we get attacked in an information warfare context using cyber means, then that's what it is. If it's an information warfare or propaganda attack using cyber means or a sabotage attack, it's not a cyberattack. I think it's important that we draw that distinction.

JOANNE MYERS: What is cyberwar to you then? Where does it begin, and where does it end?

ALEXANDER KLIMBURG: For me, cyberwar is 100 percent kinetic. I don't think it is all-out information war; that is a different definition. An all-out information war can also be conducted using cyber means, and it also can be conducted only using cyber means.

But when we talk about cyberwar, for me the key term here is really "war." War in international law is clearly defined. There are not many ways you can get there. It has to really have significant death and destruction to be considered a war. So, in my mind, you really need to blow things up or seriously disrupt things for it to be considered to be an act of war.

Any type of propaganda attack, no matter how severe, cannot be considered an act of war. If we go down that route, then effectively the entire international order has to be rewritten, and that would not be for the better.

JOANNE MYERS: How can we build a safer cyberworld? Is there a role that government has in securing cyberspace then for the common good?

ALEXANDER KLIMBURG: They definitely have a role to play, and that role is partially one they've already embarked upon, and that is the role within the international security environment, the state-to-state discussions on trying to figure out what the norms of cyberbehavior are, what the rules of the road for states should be in cyberspace.

Russia and China and some other states want to have a treaty about these issues. The problem with a treaty is that, just like the Biological Weapons Convention, it is unenforceable. The Internet is not only dual-use, it is omni-use. You can use it for anything you want, and therefore any treaty that we sign in cyberspace is by definition unenforceable.

Therefore, the consensus has been in the West to explore avenues of politically binding actors to certain norms and to certain agreements. I think this is a good way to go. It is very important, however, to make sure that those highly important security conversations are not allowed to touch the core of the Internet, the way the Internet is run.

The way the Internet is run is by the multi-stakeholder model. It's the quintessential bottom-up process, where civil society, the private sector, and governments all work together in their respective areas to basically form and govern cyberspace. It is a little bit like global finance. In that case, it's not really possible to identify a single actor who really controls all the world's money and all the world's banking. There are a couple of actors who are pretty important, and they need to work together according to their own rules and regulations.

Government should not try to impose its maximum will on this because it will not work. We have to keep in mind that the Internet has only been successful because it was a bottom-up venture; it grew, as it were. There were attempts to build top-down Internets, including in France and Russia, and they all failed. Therefore, we have to keep the bottom-up nature, and we have to keep the nonstate nature. If we don't, the Internet will become something quite different, and I don't think it's something we would really like to have.

JOANNE MYERS: Who matters more, though, in the Internet's future then, the states or the individuals?

ALEXANDER KLIMBURG: There is no question at the moment that when we say civil society, private sector, and governments all work together in cyberspace to help manage the Internet, it's really in that order. So the power of governments is really quite low. They can listen in on things, and they can blow things up, but they don't build anything in cyberspace; they don't build anything in the Internet.

So effectively that balance can't change because that's the way these things are simply run. Governments can't simply order the volunteers and the hobbyists who have dedicated so much of their time to actually code the backbone of the Internet to code it in a different way. If they try to do that, these people will just go someplace else and they will code another Internet. They also can't tell every single company in the world how they're supposed to design their products for the Internet. That's not going to work either. The Internet, therefore, always will remain a bottom-up structure.

However, there are things of the Internet that governments would really like to have more control over, in particular the so-called Domain Name Service (DNS), effectively the telephone book of the Internet. But that is also something that can't possibly be left in governments' hands because it is currently managed as a technical issue only when trying to make sure that the thing works, not what it says or what it does; it doesn't judge the content. If governments are allowed to judge the contents of the telephone book and say "disconnect that person, disconnect that person," then we are very rapidly in an area of information control that no democracy should really want to be in.

So in the future I think governments should really concentrate on, first of all, getting it right in international security. That is their responsibility, to make sure that we have clear rules and regulations that govern the use of cyberoperations between states.

Second, they should also have a long-running debate about law enforcement where you can also talk about fair use of Internet if you want, economic aspects, and capacity development. There are a billion new Internet users who are going to be coming in the next 10 years; what preferences are they going to have? That's the second basket.

The third and final basket is the most important for me, and that's Internet governance. Internet governance cannot possibly have more government influence than it has right now. If it does so, then we're talking about politicizing the road or turning over the oceans or every single global common space to government, and that is a dangerous proposition.

JOANNE MYERS: Do you think a globally representative system will actually work?

ALEXANDER KLIMBURG: I think there are very interesting examples to be had, for instance, from how we dealt with climate change, how we deal with financial issues, for instance, and how we deal with health issues. We have been looking at a lot of these analogies over the years. A CNN reporter once said that what analogy you pick says a lot about you as a person.

I actually think all of the analogies out there have a useful function in certain areas. Cyberspace is such a huge topic. Like finance, like medicine, there's not one particular easy way to describe all of it. But I also think it's not necessarily important that we understand all of it all the time. But everyone needs to understand a little bit and how it relates to them. What I was trying to really touch upon was just like in the global financial system, you don't necessarily need to know the ups and downs of the international bond market, but you do want to know if the housing market is going to collapse; you do want to know if your mortgage rate is going to go up; you do want to know if the economy is going to go up or down.

These types of macro issues also exist in terms of Internet freedom. Certain things can happen through the actions of governments and through the actions of individual companies that will massively change our individual Internet as it is, and it is important that people are aware of that, which is why we have to pay more attention to this issue.

JOANNE MYERS: In your recent reading or experience, have you come across any emerging or future technologies that we will have to worry about from a security perspective?

ALEXANDER KLIMBURG: "Worry" is not necessarily the right term, because we don't know exactly how they will develop, but one of the greatest disruptors that is going to happen that is directly related to what I wrote about is quantum computing, and the second is artificial intelligence (AI), and they're kind of related to each other.

Quantum computing is going to fundamentally change a lot of how our codes are written. Quantum cryptography is going to be a whole different level of cryptography, and quantum computing—which is not the same thing—is going to allow us a much larger rate of processing power, which effectively is also going to change what we can do with computers.

But those twin developments, which are not the same things, might upend the present order again, and maybe in five, seven, ten years. It might also suddenly make all the encrypted information out there—that we think is safely encrypted and that nobody can figure out—they can suddenly maybe crack all those codes. So it might be rather interesting to see what happens then when suddenly all those hidden bits of information that nobody ever decrypted before are suddenly decrypted.

The second thing that will happen is artificial intelligence, which I think actually is not the biggest threat, although many very important people have said it is. I think the threat is what happens with the data set that they can draw upon. We have huge data sets out there that are not connected yet. Some actors, like the National Security Agency (NSA), have access to quite a few of them; some of them, like Google, sit just on one gigantic huge data set. But AI might be in a position to connect those data sets, and might find new patterns that we haven't previously realized.

That is one thing that might also fundamentally change our outlook, again for better or worse, who can say?

JOANNE MYERS: Thank you for this very thought-provoking discussion and for making it quite clear that the debate about the different aspirations for cyberspace is really about our global values. I would encourage you all to read The Darkening Web: The War for Cyberspace, because there were so many more issues we could have touched upon, but due to time constraints we had to end here.

Alex, thank you so much for joining us, and I look forward to reading and hearing more about what you're doing.

ALEXANDER KLIMBURG: Thanks for your time.