Exclusive interview with Ariel (Eli) Levite, Nonresident Senior Fellow, Nuclear Policy Program & Cyber Policy Initiative Carnegie Endowment for International Peace
Q1. In the nuclear field, people took the first 20 years (from the 1950s to the 1970s) to make arguments and figure out basic norms and behaviors. In the 1970s, people made agreements internationally. Nowadays, cyber security issues have been experienced for the first 30 years and are experiencing similar problems as the nuclear field. As a nuclear expert, which experiences can the cyber field borrow from the nuclear field?
A1: One common aspect is that both nuclear and cyber have been central issues in international relations. During the Cold War, nuclear weapons and the prospect of a nuclear war were the defining issue of the time, literally the currency of international relations. That has now been superseded by cyber. Cyber, like nuclear, is not only the weapon or the means, it is a leading means through which international relations play out today.
When we look at cyber weapons now, they are not solely possessed or employed by Cold War superpowers the United States and Russia (Soviet Union), but also by many additional actors in the international system, including states and, increasingly, non-state entities.
A second dimension of the comparison between cyber and nuclear is that nuclear technology has been seen from its inception as a dual-use technology: military application on the one hand and civilian and energy application on the other. But after the late 1970s, the hope that civilian nuclear energy would become the dominate form of energy began to decline. Like nuclear, cyber is very much a dual use technology. Digital economy is, for instance, a weapon of multiple effects as well as an instrument of crime. Yet the opposite may be happening here; the civilian applications of cyber technology have been growing very fast, much faster than the military ones, particularly in the growing role of and dependence on the digital economy. So the pressure of civilizing this domain, inter alia by establishing some rules of the game that could help stabilize this field is much bigger.
But the challenges of developing such rules of the game in the cyber field are bigger than those in the nuclear field, because many more players are involved and some of the most important among them are not states, but big corporations. Also, the technology is developing more quickly. These are all complicating factors. Yet the pressure to civilize this domain is bigger because the balance between the military side and economy side increasingly tilts toward the latter. It makes rules more difficult and at the same time far more essential. So we have a real challenge in front of us.
Finally, if you apply the IAEA model for cyber, it won’t work because the IAEA is an inter-governmental organization. ICAN is an important innovation in doing multi stake-holder governance in one area of cyber space, and thus presents itself as a far better model to look at.
Q2: What’s your view of negotiation of UNGGE? In the summer of 2017, GGE failed to reach a regular file for the first time.
A2: Personally, I never believed the UNGGE will be productive, so I’m not surprised at all at its failure to yield a productive outcome in 2017. I doubt that a forum representing such conflicting interests could go much beyond very general and ambiguous agreements. This holds true of other UN negotiating bodies such as the Conference on Disarmament or the NPT review conference.
In the 1960s, there were many countries that were initially unwilling to sign and then ratify the NPT. Most ultimately relented but only after it was agreed to that the NPT would make it legitimate to possess and acquire much dual-use nuclear technology and after the five established nuclear states committed to eventual disarmament. And the IAEA was reconfigured to be able to monitor and facilitate nuclear developments, but try ascertain if it is applied solely for peaceful purposes. But many of them are today unhappy with the bargain struck at the time in the NPT.
Let us think for a moment about the cyber analogy. Who would agree today with such an asymmetrical arrangement? Which important countries would agree to foreswear development of cyber weapons? Who believes that cyber technology and its applications could be verified the way nuclear technology could? The answer to all of these questions is very few. So the task ahead of us is to craft a cyber-specific regime.
Q3: In the nuclear field, we consider the states as the main players; however, in cyberspace, so far different countries hold different views on sovereignty theory. Do you think it’s more difficult to build norms?
A3: In 1960s, the U.S. dominance of the international system was very pronounced, and the Soviet Union also carried much weight in the world. So between them, assuming they had common interests, they could largely impose their wills on some critical issues upon the rest of the world. The NPT was one product among many of this era. But to me, this is not so much about nuclear as much as it is about the power distribution in the international system. Not one or even two states currently carry so much weight in the system, and there are many issues that drive them apart rather than bind them. And power has evolved in part from individual states to a larger organization in the form of the EU, while it has also devolved to multinational corporations and even individuals. So far there is a greater divergence of interests in and around cyber issues compared to nuclear ones. Just one example is how far apart U.S. and Russian interests are in this domain. So the present conditions are not conducive to reaching agreements in the cyber sphere that will bind most if not all of the relevant players.
Yet we should not despair, nor give up on our efforts to promote governance in cyberspace. The anxiety that there would be no stabilizing factors which would usher in an era of cyber chaos with all the attendant consequences for security, stability and welfare does help motivate nations and others to try to do something meaningful together. The consequences of failure are simply too dire to risk. Let us derive our inspiration from the global warming realm. There are roughly 200 states in the world. Clearly, we would want all of them to cooperate toward the common cause of driving down emissions that risk global warming. Yet progress can still be made even if not all cooperate. Because the risk posed by global warming is simply too great and its consequences will set back practically everyone. So when the U.S., after Donald Trump was elected president, began to walk back its commitment to the Paris Accords, China, which was initially very circumspect in its willingness to move aggressively to cap harmful emissions, stepped up to the plate. It might take a while, but eventually in cyberspace, like in the physical environment, we are bound to see growing collaboration as the realization of what a rule-less world might look like dawns on everybody.
Q4: So the government cooperation should be a model of others?
A4: I think it should indeed be the inspiration and a model. We should never give up trying to make the collective good prevail. Even if in climate, cyber and even nuclear (like the JCPOA or the DPRK) we initially stumble through serious crises, and those that go at it alone complicate our life and endanger our common future.
Q5: In the military sphere, we’ve already seen the worst outcome of nuclear weapons in 1940s Japan. But in the cyber field it’s more ambiguous. Can we predict the worst situation in the cyber field?
A5: The experience in Japan was so dramatic and traumatic that eventually everyone realized (including those who had initially thought otherwise) that the goal ought to be to secure peace and stability without ever using nuclear weapons again. The analogy to cyber, though, is imperfect. In cyber, many fear that cyber warfare could cause catastrophic damages and effectively be a weapon of mass destruction, hence are reluctant to use it and see other employ it as well. Yet an ever-growing number of other people now believe that cyber weapons can nevertheless be employed successfully with much more localized, temporary, reversible and otherwise limited effects, in other words, as weapons of discriminate disruption which they can leverage to their advantage. The result is that numerous smaller scale attacks are occurring all the time, in fact their numbers keep on growing fairly dramatically, because the fear of catastrophic attacks has not yet been realized and so many people now think with some justification that not every use will be catastrophic. Looking ahead, the odds are that the world will not experience catastrophic attacks, which is very good news. The bad news, however, is that we are likely going to witness an ever-growing number of smaller attacks, a trend we are already witnessing.
My second point is that the analogy between cyber and nuclear also breaks down on the proliferation issue. The world has been very successful in preventing the nuclear weapons from falling into the hands of terrorists and most reckless regimes. While very few of the latter that have been able to acquire nuclear weapons have been largely restrained in their use, this is hardly the case in the cyber domain, where we can observe not just incredible proliferation of dual-use cyber capabilities and of offensive cyber tools, their weaponization, and employment. As a consequence, it is likely to prove all the more difficult to prevent small to medium levels of cyber attacks, and practically impossible to contemplate traditional forms of arms control in cyberspace.
Q6: So the advancement of nuclear and cyber weapons, to some extent, helps us to make rules and behave ourselves.
A6: Let us bear in mind that there was a period between the1960s and the 1980s when important people believed that one can conduct nuclear war of a more limited scope. And so called "tactical" nuclear weapons were developed to operationalize this concept. Thankfully in the nuclear realm we now seem to have vestiges of such thinking only remaining in Russia and Pakistan. This is hardly the case in cyberspace, so I am more reserved in my optimism that we can develop meaningful rules to govern cyber warfare, get universal buy-in to them, and enforce them effectively. Cyber weapons might prove not only usable and effective, but actually legitimate to employ, and may in fact be preferable and complimentary to kinetic weapons, especially in war situations.
Q7: The definition of cyber weapons now is still unclear; sometimes it’s wide, at other times it is narrow. Was it the same for nuclear weapons for the first 20-30 years?
A7: There are both similarities and differences. I think I have already alluded to some when talking of "tactical" nuclear weapons. So let me confine myself here to just one example. Nuclear weapons have not been used since 1945. But nuclear threats, veiled and explicit, carried out through statements but also through actions, have been employed intensively and extensively over this period. So people found out that one can actually employ nuclear weapons for many purposes without resorting to a single nuclear weapon release. They are often employed to reassure allies, to intimidate and deter adversaries, and to convince one's own population that you are secure regardless of the threats you face. We are beginning to see a similar pattern emerging in the cyber domain. Diverse applications of cyber weapons for signaling, deterrence, compellence, and retaliation, as well as a demonstration of might for one's domestic consumption. Yet none involving the unleashing of the full destructive power of cyber weapons. I do not think this is a mere coincidence.
Q8: Do you think it should be more clear on defining cyber weapons?
A8: I think it’s extremely difficult to do so because key attributes of cyber weapons and warfare are quite similar to more traditional forms of intelligence operations in general and cyber intelligence in particular. While the goal of the operation might be very different, there are nonetheless many commonalities in the tools employed, the process of the application, the computer networks and systems attacked, etc. Consequently, the definition that you ask about is difficult to arrive at.
Q9: In your mind, what are cyber weapons like?
A9: The cyber domain—and its associated hardware, software, and human resources issues—is constantly growing and evolving. Information and communications technologies can serve myriad peaceful and coercive purposes in addition to providing legal and illegal means of generating wealth. In the context of inter-state conflict alone, hundreds of analogies could be drawn and analyzed between cyber weapons and their predecessors. Capabilities and plans exist and are being developed further to use cyber assets on a large scale, in combined-arms military campaigns. Cyber operations could be conducted to cause massive disruption and, indirectly, significant destruction and even human casualties.
Cyber weapons might extend the militarily, politically, and morally attractive logic and functionality of precision-guided missiles (PGMs). Cyber weapons offer the potential of “exquisite precision” in terms of targets and effects, although this potential may be very difficult for many actors to achieve in practice. They involve “minimal risk to the lives of the service personnel who ‘deliver’ them” and are “likely to cause fewer civilian casualties than even the most carefully designed and executed kinetic attack.” As a result of these attributes, cyber weapons “could further lower the threshold for the use of force.” At the same time, the effective use of cyber weapons requires sophisticated intelligence, surveillance and reconnaissance, and time-sensitive battle damage assessment. As with PGMs, it also remains questionable whether cyber weapons can accomplish larger, strategic political-military objectives. From all this, the fundamental question arises of whether cyber weapons will augment deterrence of military conflict or make conflict more likely.
Q10: What will the cyber conflict effect be?
A10: Cyber weapons are especially—perhaps uniquely—useful in the grey zone of confrontation below armed conflict. The Russians’ 2007 cyber attacks on Estonia, the U.S.-led Stuxnet attack on Iranian centrifuges, the Iranians’ destructive 2012 attack on Saudi Aramco’s desktop computers and 2011–13 denial of service attacks on U.S. banks, and the 2014 North Korean attack on Sony Pictures Entertainment—all exemplify diverse secretive coercive cyber operations short of warfare.
That said, cyber capabilities also create effects that can be vital to the conduct of war (and terrorism). Cyber capabilities now indispensably enable most of the communications, reconnaissance, command-and-control, and operational functions of modern militaries. Cyber networks do more for militaries than any other single previous technology, greatly boosting the defensive and offensive capacity of states and their militaries. At the same time, of course, it also makes them vulnerable to disruption in unprecedented ways.
Complementing their enabling potential, cyber weapons also can be disruptive or destructive in and of themselves. Like earlier forms of electronic warfare, they can blind, deceive, degrade, and even disable and destroy an opponent’s communications, reconnaissance systems, navigation, command and control, and weapons’ targeting and operation. Cyber weapons also can have a much greater impact on infrastructure and physical systems than traditional instruments of electronic warfare can because they increasingly control the operations of these systems (like energy generation and dissemination, water pumping and distribution, transportation flow management, ICS in industrial plants) and many others. As such, cyber interventions cannot only disrupt the operations of these systems, thereby causing chaos in the physical world, but they can be optimized to cause their destruction. Furthermore, attacks on repositories of data in sensitive areas (such as financial data) can not only deny their availability and corrupt their integrity, but have a global effect on the functioning of the global financial system. Not to mention the cascading effects of such attacks.
Major powers have already used such offensive cyber capabilities against others, but they have been very cautious in the targets they go after and the effects they seek against them. And they have not directly engaged each other in escalatory warfare in the cyber domain. Thus, there is no empirical basis or analogy for evaluating how the dynamic competition between enabling and disabling cyber operations would play out in actual combat among peers.
Q11: What’s the biggest difference between cyber and nuclear?
A11: In general, I think there are some similarities in their historical evolution and revolution. As said earlier, in many ways cyber now plays the role nuclear had played in world politics through the 1970s, but even more so.
What is very different is the centrality cyber has assumed for functioning of the civilian economy (which nuclear aspired to but never gained), its fusion with intelligence operations and other homeland security and military functions. And the capability it has provided for both empowering criminals and communications of groups and individuals all over the world.
Q12: That’s why you started to do research on cyber?
A12: The main reason we at Carnegie Endowment for International Peace do cyber research and global policy development is that we have spent many years doing so in the nuclear realm. And we gradually came to believe that it was possible and important to try to leverage our skills to do so in and for the cyber domain. In the area of nuclear policy, our efforts have been aimed not just at analysis of trends and their implications (all the way from nuclear energy to nuclear weapons) but even more ambitiously to develop global rules of games in the nuclear domain. One case in point is our 8-year effort to develop and lead the Nuclear Principles for nuclear power plants. Another is a 6-year process to develop the concept of a Nuclear Firewall. We have realized that now we could adopt and apply some our skills, ideas, credibility, and global reach (we at CEIP are at truly global think tank, with centers in Washington, Moscow, Beijing, Delhi, Brussels, and Beirut) with some adjustments to the cyber world.
Q13: For the cyber part, what’s the most concern for the experts to explore more?
A13: Two priorities. One is to try to get all relevant governments to commit to refraining from undertaking premeditated cyber attacks and other related activities that could cause widespread suffering and undermine the dynamic stability of the international system. The second priority is to minimize the prospects of unintended miscalculation and escalation in and through cyber actions.
Q14: For now, many countries distrust each other while they are making rules and having discussions on cyber issues. Is it the same in nuclear field? Can countries make it when they distrust each other?
A14: Yes, profound distrust does exist in nuclear field too. Suspicions abound. The question we should be asking ourselves, though, is whether such distrust is severe to the point that makes it impossible to have any civilized rules of the game. In the nuclear field the answer has proven to be encouraging . While the distrust was never entirely overcome, a significant degree of cooperation has nevertheless proven possible, and it has survived many crises and challenges over the year. And in fact created a basis for dealing with new crises (such as Iran and potentially also the DPRK) as they come along. Might the answer be the same for the cyber world? I cannot answer with full confidence in the affirmative. But I am inclined to believe something useful can be done in this space, notwithstanding the distrust and multiple other challenges (such as the number of relevant stakeholders, the nature of the technology and its evolution, and so on…). Let me underscore one point here. Norms and distrust always co-exist in some form. Because in the absence of suspicions there is no need for norms. And when distrust is total, no norms are possible, because they are pointless, or worse outright counter-productive.
Q15: What red line do you think we should draw in cyberspace for states and non-state actors not to cross?
A15: There is big responsibility for governments to facilitate cooperation in strengthening trust in the ICT and ICS supply chain. Here both governments and corporations must collaborate. To balance between their legitimate requirements for obtaining information for various national security, homeland security, and law and order functions on the one hand and commercial applications on the other. Actions governments might take could seriously undermine the trust in ICT and ICS systems. And in the process set back the commercial developments, and the dissemination of the benefits of the digital economy.
Toward this goal some rules of the road must be developed on what governments and corporations ought to do, what they must refrain from doing, and how can we incentivize good behavior, penalize bad ones, and monitor compliance. China and the U.S. (with important potential contribution from Europe) must take the lead here, and encourage their leading companies to take part as well.
Q16: But so far in cyber and commercial industries, there is an imbalance. The U.S. plays in the dominant role, and others are relatively weaker.
A16: I think the power structure in this arena is shifting and the picture I would paint is far more nuanced and dynamic. While the U.S. remains No.1, China is No.2. and has been catching up and becoming an almost equal partner. But with its growing stature obviously also comes the responsibility for helping promote order and civility in this space. Like in the climate arena; obviously here in cyber we are talking not just about governments but also leading corporations. Let me add that there are other important players in the cyber domain beside China (and Chinese corporations) and the U.S. (and its leading corporations). These include the Europeans, Japan, South Korea, Russia, even Israel, my motherland. Israel, for example, is a small country when compared with all of the former, but nonetheless a formidable cyber power in both the civilian and national security applications. Singapore is similarly emerging as an important cyber player.
Q17: Do you think digital economy and cyber security spaces conflict with each other?
A17: There is indeed obvious tension between the two, but there is also synergy and complementarity between them. But perhaps an even greater tension exists within each of these domains, between, say, commercial benefits and privacy concerns, for example. And between reaping commercial benefits from the digital economy and the opportunities this dependence creates for serious crime, and in the military and intelligence competition exists between the various big powers capacity to spy and inflict damage on each other using cyber but also with the growing capacity of diverse non-state actors to inflict pain and cause disruption to all powers.