Thomas Lee: At Berkeley conference, a move to set guidelines for hacking on foreign soil.
Revelations that Russian intelligence agents penetrated the computer systems of Yahoo three years ago is hardly news to someone like Marina Kaljurand.
As the Estonian ambassador to Russia in 2007, she contacted officials there after a cyberattack against her country, which Estonia blamed on Russia. The denial-of-service assault effectively shut down the websites of the former Soviet republic’s parliament, newspapers and banks by overwhelming the sites with Internet traffic rerouted from other servers.
As you can imagine, she didn’t get far.
“It was a one-sided conversation,” said Kaljurand, who’s attending a cybersecurity conference in Berkeley this week. “There was no response from Russia.”
Events seem to have come full circle for Kaljurand, who’s now chairing the Global Commission on the Stability of Cyberspace. The organization wants to establish guidelines on what’s permissible or out of bounds when it comes to hacking computer systems in another country.
In many ways, the commission owes its existence to Russia. In the past, the world generally accepted that countries spied on each other and occasionally fought officially declared wars with bullets and bombs. But the assault against Estonia seemed symbolic of a disturbing new era in international conflicts, in which statesponsored hackers target civilian institutions during peacetime for political and economic gain.
No one is more aware of the new threat than Silicon Valley, where the indictments for the Yahoo hack underscore growing concerns over security. As another example, the U.S. has regularly complained to China about hackers with suspected ties to the People’s Liberation Army trying to steal secrets from universities and tech firms.
It makes sense to establish some norms of behavior for countries to spar over the Internet. You can’t eliminate attacks, but perhaps you can agree on what crosses the line.
Countries like Russia probably won’t be keen on an international policy. After all, the two Russian spies included in the federal indictments in the Yahoo hack presumably got their orders from higher up. The U.S., for its part, has done its share of spying, too. Last week WikiLeaks revealed programs it said the Central Intelligence Agency used to hack into common devices like smartphones, methods that could be used to get around messaging encryption.
Kaljurand doesn’t think we should create a Geneva Convention for online warfare. She said the new commission, formed with the support of the Netherlands, Microsoft and some think tanks, will develop ways we can apply existing international laws to the Internet. Notably, it includes no representatives from Russia, though there are two from China: Xiaodong Lee, a professor of the Chinese Academy of Sciences, and Zhang Li, a top official with China Institutes of Contemporary International Relations.
The Geneva Conventions forbid the deliberate targeting of civilians in a war. So a reasonable interpretation of the law would mean a nation can’t blow up a dam or a natural gas plant through a computer hack if those actions would kill or injure civilians.
That has happened before. After Russia invaded Ukraine in 2014, for example, hackers repeatedly attacked Ukraine’s power grid.
And civilians are targeted, or at least collateral damage, in many hacks.
In the Yahoo breach, the Russians were targeting foreign officials, business executives, journalists and even politicians from their own country. This year, U.S. intelligence agencies concluded Russia attempted to influence the presidential election by leaking emails it stole from Democrats.
China is another emerging player in the hacking world, with a motivation that is partly financial. In a 2013 report, the National Bureau of Asian Research concluded that intellectual property theft cost the United States about $300 billion a year in exports to Asia. The study, led by former director of national intelligence and Navy Adm. Dennis Blair and Jon Huntsman, a former U.S. ambassador to China, also estimated that China accounted for up to 80 percent of all such thefts around the world.
“National industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in business and government entities are engaged in this practice,” the report said.
China’s growing capabilities have only made the problem worse, said Mark Krotoski, a former criminal division chief with the U.S. Attorney’s Office in the Northern District of California who has successfully prosecuted Chinese nationals for economic espionage.
Intellectual property theft has become “an evolving, emerging challenge because of the growing number of cyberintrusions and sophisticated hacking,” said Krotoski, now a partner with Morgan Lewis law firm in Palo Alto.
Though we normally accept that nations spy on each other, the Obama Administration concluded that such statesponsored commercial espionage crossed the line of acceptable behavior. President Barack Obama personally raised the issue during his meetings with Chinese leader Xi Jinping.
It’s very difficult to prosecute the thefts because the culprits can usually hide behind a myriad of proxies and shell entities, Krotoski said.
“Establishing bright lines is helpful,” Krotowski said. “It’s a key step of a broader approach” to curbing attacks.
In late 2015, China and the United States reached a deal not to swipe intellectual property from one another online. Since the agreement, the number of Chinese incursions into the computer systems of American companies has significantly dropped.
“Cyberspace is not the jungle,” Kaljurand said. “There are rules.”
The rules are being put to a severe test.