By LT Travis Nicks, USN
Open borders are here. You likely crossed the Rio Grande before breakfast this morning and you’ll sneak into China before you sleep tonight. Trons travel through cyberspace ignoring all manners of political boundaries. Technology doesn’t care where Ukraine ends and Russia begins, or about an air gap between China and Taiwan. The policy of cyber does; it shouldn’t.
Conceptualizing Cyber Borders
The national policy for cyber borders has been similar to conceptions of airspace: a vertical extension of geopolitical borders into the sky, or in the case of cyber, into the flowing infrastructure of the internet. If a plane is going to travel through the airspace of another country, that country has to agree to it or the flight has to go around. A long-range bomber aircraft might fly over a few countries for a raid on the other side. Packets or “trons” can travel continents’ worth of countries in a path of least resistance taking seconds. Furthermore, while borders stay the same, digital routes are totally dynamic. In order to prevent the unintended escalation of cyber operations, we must divorce the routes trons take from the effects they cause.
A Path Forward
Fortunately, an existing policy framework already exists for an effects-based policy in a new frontier. We need to rise above the airspace mentality, and draw inspiration from satellites. Satellites travel freely over countries and cross borders with impunity. The international community agreed to a borderless framework in space in the Outer Space Treaty of 1967.1 The orbit a satellite is on and its position relative to political borders are irrelevant when it takes an action that causes an effect. The effect is all that matters. The group at the effect’s end may protest or retaliate, but the country under the satellite at the time of the action will have no issue. If, for example, China shot down a Russian satellite while the satellite was over Mexico, Russia would have no issue with Mexico for having allowed the attack above them, because they don’t own that space. Instead, China would be responsible for causing the malign effect.
The Department of Defense (DoD) has addressed this attribution issue. The DoD Law of War Manual specifically addresses “cyber operations that use communications infrastructure in neutral states.”2 This policy allows trons to be routed through neutral nations so long as the cyber infrastructure in that country allows innocuous information to be routed through it as well, if they route trons for the common World Wide Web. It also specifically acknowledges that it is unreasonable to expect other nations to review all cyber traffic for its content. These principles are fundamental to the spirit and design of the internet. Acknowledging those fundamentals will prevent future conflicts that will otherwise arise from misattribution during analysis of tron routes. Imagine Canada sends cyber attack trons to Russia via France, Thailand, and China. It is easy to see Russia determining that China may not have ownership of the trons that attacked them, but—unless we agree otherwise—they were complicit in the attack. A scenario where clumsy confusion leads to aggressive accusation, the likes of which we have not seen since the eve of WW1, is not far-fetched given the cyber domain’s peculiarities.
Many international cyber agreements are being written. One, the International Code of Conduct for Information Security, has already been signed by major players Russia and China. That agreement addresses the intent of cyber warfare and end effects, but leaves a grey area in between. A 2013 NATO report addressed this point indirectly, saying “demilitarized zones are not feasible in the context of cyberspace, due to its global scope.”3 NATO failed to separate the infrastructure itself from the use of the infrastructure. A United Nations report from 2015 (aware of NATO’s 2013 report) further departs in the wrong direction and declares “states of jurisdiction over the ICT (information and communications technologies) infrastructure located within their territory.”4 This policy direction simply does not pragmatically address the technology involved. The transnational spirit of the internet and the technology itself does not respect borders as the UN does. A failure to acknowledge this fact is dangerous. The focus on infrastructure and not on the transmissions and effects of the technology leaves a dangerous grey area.
The solution is an agreement among the international community to ignore cyber routes. The DoD’s cyber components must press this issue into international agreements. The Department is uniquely equipped to lead this effort. It is the center of our nation’s cyber warfare universe. The NSA, CIA, DIA, and others with less notoriety are led or staffed largely by military officers and enlisted, retired versions of the same, or DoD civilians. No other organization is as integrated into every aspect of offensive and defensive cyber operations. DoD’s outsized operational involvement gives us an equally outsized cyber policy voice, and we should use it to ensure a discussion on cyber routes.
The discussion should acknowledge, first, that attribution is the foundation of cyber warfare. Second, acknowledge that routing technologies use the communications equipment of neutral states to obscure the origin of cyber-attacks. After establishing those truths, the policy must focus on ensuring the analysis of digital forensic evidence acknowledges the inherent deceptiveness of cyber route analysis and delegitimizes the evidence as international policy. The international community must agree to focus on the information and effects of the trons and not attempt to hold accountable the infrastructure used for transmission. Absolve the owners of the infrastructure and the land on which it sits from responsibility for the trons it transmits, and inversely remove the standing they might have if they dislike the trons.
The publicly available cyber discussions in the international community have so far focused on intent, effects, and physical infrastructure while they ignore any agreement on cyber routes. To avoid a massive international misunderstanding in the fog of attribution we must internationally agree to ignore cyber routes. We have a framework for this. In space we own the object, not the orbit. In cyber we will own the information, not the route.
Travis Nicks is a nuclear submarine officer serving at the Pentagon. He is focused on finding precise fixes to complex problems. LT Nicks is interested in cyber policy and personnel performance issues. The views herein are his alone and do not represent the views of the Department of Defense, the Department of the Navy, or any other organization.
1. Outer Space Treaty, 1967, Article II
2. Department of Defense, Law of War Manual, 2016, Section 16.4.1
3. Dr. Katharina Ziolkowski, NATO Cooperative Cyber Defense Centre of Excellence, Confidence Building Measures for Cyberspace – Legal Implications, 2013, Section 3.2
4. Group of Government Experts, United Nations General Assembly, report on Developments in the Field of Information and Telecommunications in the Context of International Security, 2015, Section VI.28.a.
Featured Image: U.S. Navy Petty Officer 1st Class Joel Melendez, Naval Network Warfare Command information systems analysis, U.S. Air Force Staff Sgt. Rogerick Montgomery, U.S. Cyber Command network analysis, and U.S. Army Staff Sgt. Jacob Harding, 780th Military Intelligence Brigade cyber systems analysis, analyze an exercise scenario during Cyber Flag 13-1, Nov. 8, 2012, at Nellis Air Force Base, Nev. (U.S. Air Force photo by Senior Airman Matthew Lancaster)