January 11, 2025

Posts Comments

Cyber Détente Part II: Russian Diplomatic and Strategic Self-Interest

January 15, 2010 by

The first post in this series rebutted the purported Russian motive for negotiations, avoiding a security dilemma. This second post posits two alternative self-interested Russian inducements for rapprochement: legitimizing use of force and strategic advantage.

——————————

An alternative rationale for talks advanced by the Russians is fear of “cyberterror” – not the capacity for offensive cyberwarfare, but its use against civilians. A weapons use treaty of this sort could have value in establishing a norm against civilian cyberattack… but there are already strong international treaties and norms against attacks aimed at civilians. And at any rate the untraceability of most cyberattacks will take the teeth out of any use-banning treaty of this sort.

The U.S. delegation is rightly skeptical of this motive; the Russians may well be raising cyberterror in the interest of legitimating use of conventional force. The Russians have repeatedly likened political dissidence to cyberterror, and a substantive cyberterrorism treaty may be submitted by Russia as license to pursue political vendettas with conventional force. To probe how such a treaty might function, consider first a hypothetical full-blown infrastructure-crippling act of cyberterror where the perpetrator is known – Russia already need not restrain itself in retaliating. On the other hand, consider the inevitable website defacements by Chechen separatists or Georgian sympathizers in the midst of increasing hostilities – acts of cyberterrorism in violation of a treaty will assuredly be added to the list of provocations should Russia elect to engage in armed conflict.

This simple thought experiment reveals the deep faultlines that will emerge in negotiating any cyberterrorism treaty. Where is the boundary between vandalism (and other petty cybercrime) and cyberterror? What if acts are committed, as is often the case, by nationals of a state but not its government? What proof is required to sustain an allegation of cyberterror? Doubtlessly the Russian delegation would advance a broad definition of cyberterror, while the Americans would propose a narrowly circumscribed definition. Even if, improbably, the U.S. and Russia negotiated to a shared definition of cyberterror, I fail to see how it could be articulated in a manner not prone to later manipulation. It is not difficult to imagine, for example, how trivial defacement of a bank’s website might be shoehorned into a narrow definition: “destructive acts targeting critical civilian infrastructure.”

Another compelling motive for the Russians is realist self-interest: the Russians may believe they will gain a strategic advantage with a capacity-limiting cyberwarfare treaty. At first blush this seems an implausible reading – the U.S., with its technologically advanced and integrated armed forces, appears a far richer target for cyberattack than Russia given its reliance on decrepit Soviet equipment. Moreover, anecdotally the U.S. military has proven highly vulnerable: multiple unattributed attacks have penetrated defense-related systems (most prominently in 2007), and late last year the Wall Street Journal reported Iraqi militants trivially intercepted live video from Predator drones. But looking ahead a Russian self-interest motive is more plausible. Russia has made no secret of its attempts to rapidly stand up modern, professional armed forces, and in 2009 alone increased military spending by over 25% (projects include a revamped navy and a satellite positioning system, among many others). To accomplish this end the Russians may rely to a large degree on information technology, and particularly on commercial off-the-shelf hardware and software. Lacking time and finances the Russians may be unable to secure their new military systems against cyberattack. Thus while at present the U.S. is more vulnerable, in future Russia may have greater weaknesses. Locking in a cyberwarfare arms control agreement now, while the U.S. is more likely to sign on, could therefore be in Russia’s long-term strategic self-interest.

The specific offensive capabilities Russia has reportedly sought to ban are strongly corroborative of this self-interest rationale. In prior negotiations the Russian delegation has signaled particular concern of deliberately planted software and hardware that would allow disabling or co-opting military equipment. The U.S. will likely have far greater success in developing assets of this sort given the at times close relationship between intelligence agencies and commercial IT firms (e.g. the NSA warrantless wiretapping scandal) and the prevalence of American IT worldwide in military applications (think Windows). Russia, on the other hand, would likely have to rely on human intelligence to place assets of this sort.

Russia’s renewed interest in bilateral cybersecurity negotiations also belies its purported security dilemma rationale. Russian interest in talks lapsed between 1996 and 2009, suggesting a novel stimulus is at work, not some long-standing fear of a security dilemma. The recent rise of alleged “cyberterror” and attempts to modernize Russian armed forces – especially in the wake of the 2008 South Ossetia War with Georgia – far better correlate with Russia’s eagerness to come to the table.

To put a point on these two posts, I submit legitimization of use of force and strategic self-interest are far more plausible Russian motives for cybersecurity negotiations than the purported rationale of avoiding a security dilemma and consequent arms race or destabilization. In the following post I will explore the U.S. delegation’s position and argue the American response to Russia’s proposals is well-calibrated.

Filed Under: Uncategorized

Cyber Détente Part I: A Security Dilemma?

January 11, 2010 by

Late last year the Obama administration reopened talks with Russia over the militarization of cyberspace and assented to cybersecurity discussion in the United Nations First Committee (Disarmament and National Security). My intention in this three-part series is to probe Russian and American foreign policy on cyberwarfare and advance the thesis that the Russians are negotiating for specific strategic or diplomatic gains, while the Americans are primarily procedurally invested owing to the “reset” in Russian relations and changing perceptions of cyberwarfare.

This first post rebuts the Russians’ purported rationale for talks: avoiding a security dilemma.

——————————

The Russians seek a cyberwarfare arms control instrument ostensibly to avoid a security dilemma and arms race, in the vein of past arrangements for nuclear weapons (i.e. SALT I/II, START I/II, and SORT) and anti-ballistic missile technology (ABM), among others. This basis for negotiations does not withstand scrutiny.

A security dilemma may arise where a state has the opportunity to develop a game-changing new weapons system, even if for purely defensive purposes. For fear of strategic disadvantage other powers may elect to develop the weapon – an arms race – resulting in none gaining a strategic advantage and all bearing a significant cost. Alternatively, technologically incapable of matching or unable to afford the development, other states may take destabilizing offensive steps. Arms control treaties resolve this form of security dilemma by committing states to not developing certain weapons.

Cyberwarfare lacks necessary elements of a security dilemma. First and foremost, cyberwarfare capabilities defy quantifiability. Consider the Cold War nuclear arms race, for example, and the strategic fixation on differences in the number and type of nuclear warheads and delivery systems (the “missile gap”). In the absence of such a metric the two powers have no means of calibrating their activities, and there is no persistent pressure to match or surpass some specific capability the other side maintains.

Intelligence might give each power a rough indication of the other’s cyberwarfare capabilities, but it will be harder to come by than for other military operations. Unlike with other weapons systems, cyberwarfare does not require special installations or resources. There are no centrifuge sites to inspect or uranium shipments to track – just talented programmers and generic computer hardware.

A related issue is that a successful arms control agreement on cyberwarfare would require monitoring and enforcement provisions (“trust but verify”). But as discussed above intelligence on cyberwar capabilities will be harder to come by than for other weapons systems. The Biological Weapons Convention is illustrative of how ineffective an arms control treaty may be without effective monitoring: until a 1989 defection the West was unaware of the scope of Russia’s secret biological weapons program.

Supposing, arguendo, that cyberwarfare capabilities did form an avoidable security dilemma, the negative results that make a security dilemma worth avoiding – excessive expenditures and destabilization – do not arise.

Cyberwarfare is cheap. Developing the F-22 aircraft, for example, cost roughly $65 billion; the annual Air Force cyberspace budget, on the other hand, appears in the low billions and consists primarily of personnel and basing expenditures (Strategic Command Press Release; FY2010 budget).

As for destabilization, there is minimal marginal strategic gain from cyberwarfare capabilities. In the Cold War nuclear arms race there was a perception that if the other side achieved even a slight advantage the bipolar strategic equilibrium would collapse. Cyberwarfare is neither perceived to be – nor is it, in actuality – so effective on the margin. While specific capabilities are not public, it is difficult to imagine cyberattacks will be consistently more effective than conventional strikes. Moreover, given the United States’ enormous strategic advantages in the whole, even significant marginal strategic gains would do little to tip the balance of power to Russia.

Having deconstructed the alleged Russian rationale for talks, the next post in this series will explore alternate viable Russian rationales.

Filed Under: Uncategorized

TV Everywhere: Collusion Anywhere?

January 7, 2010 by

FreePress and the National Cable and Telecom Association (NCTA) are talking past each other about TV Everywhere, a new initiative from the cable TV industry. FreePress says TV Everywhere is the cable industry’s collusive attempt to limit competition; the NCTA says it’s an exciting new product opportunity for consumers. Let’s unpack this issue and see who might have a point, and who is blowing smoke.

We’re at a critical point in the history of television. In recent years, most people have gotten TV shows from a traditional cable or satellite service. Now more and more people are getting shows on the Internet. Cable companies need to adapt, somehow, or become dinosaurs.

Which brings us to TV Everywhere. The idea, according to the NCTA, is for cable companies to offer their residential subscribers online access to the same shows they get at home. Existing consumers get more, at no extra charge — who would complain about that? — but only if they keep buying traditional cable service.

FreePress tells a different story, in which cable industry companies have agreed among themselves that this is their sole Internet distribution strategy. If such an agreement exists, it is problematic — it looks like a classic market division agreement, which is bad for consumers and (as I understand it) presumptively illegal.

To understand why this would be bad, consider an analogy. Suppose there are only two pizza restaurants in Princeton, Alice’s Pizza and Bob’s Pizza, and neither one offers home delivery. Customers want delivery, so both restaurants are considering how to provide it. Alice and Bob meet, and they agree that Alice’s will only deliver to customers east of Nassau Street, and Bob’s will only deliver to customers west of Nassau Street. Alice and Bob have divided the market. Customers suffer because of the lack of competition.

Now obviously Alice and Bob are free to set reasonable limits on where they will deliver. Some customers may be too far away, or too difficult to deliver to for some reason. But customers would rightly complain if Alice and Bob agreed to divide the market. Even if we didn’t have smoking-gun evidence of an agreement, there might be very strong circumstantial evidence, for example if Alice offered to deliver to places five miles away while refusing to deliver to homes directly across the street from her Nassau Street restaurant, or if Alice and Bob’s restaurants were right next to each other but had totally disjoint delivery areas.

Notice too that Alice and Bob can’t get off the hook by pointing out that they are offering a new service — delivery — that they had never offered before. The problem is not that they are offering a new service, but that they have agreed not to offer certain other services.

How does this analogy apply to cable TV? Alice and Bob are like the cable companies, which are considering expanding beyond their traditional service. Home delivery of pizza is like Internet delivery of TV shows. As the cable industry expands to offer TV shows on the Internet, are they open to competing against each other, or have they agreed not to do so? If the cable companies have made an agreement to offer online TV shows only to their own residential customers, that looks like an agreement to divide the market — each company will be offering its product only in the limited geographic areas where it has a cable TV license.

So the key question — really the only one that matters, as far as I can see — is whether the cable companies have agreed not to compete. FreePress says, or strongly implies, that there is such an agreement. NCTA says there is not.

Who is right? Unfortunately the publicly available facts are consistent with either theory. Maybe TV Everywhere is just the first step and the cable companies will soon enough be competing with each other to distribute shows to Internet customers wherever they may be. Or maybe the companies have decided as a group to restrict themselves to TV Everywhere style services within geographic limits (or to otherwise restrict business models or prices).

At this point we can’t tell who is right. FreePress offers indirect but suggestive circumstantial evidence that questionable discussions might have occurred within the cable industry. The NCTA mostly just changes the subject, talking about the complexity of their industry and praising cable companies for offering shows on the Internet at all.

Unfortunately, public discourse about industry structure often confuses issues like this. We often say things like “the cable industry is worried about X” or “the cable industry wants Y”. That could be a kind of shorthand, meaning that the individual companies in the industry, facing competitive pressures, generally tend to worry about X or to want Y — perfectly reasonable market behavior. Or it could reflect an assumption that the industry acts as a unit, which of course is problematic. This ambiguity is especially common in political/policy debates, to our detriment. We’d be better off talking saying things like “cable companies worry about X” or “cable companies want Y”, just to remind ourselves that these are supposed to be independent actors who decide independently what they want.

For now, I’d say the cable companies bear watching. As the companies lay out their Internet strategies and products, I hope the antitrust authorities are watching closely. If the cable companies are really acting as competing companies, this will be obvious from their actions.

Filed Under: Uncategorized Tagged With: , ,

Predictions for 2010

January 6, 2010 by

Here are our predictions for 2010. These are based on input from Ari Feldman, Ed Felten, Alex Halderman, Joseph Lorenzo Hall, Tim Lee, Paul Ohm, David Robinson, Dan Wallach, Harlan Yu, and Bill Zeller. Please note that individual contributors (including me) don’t necessarily agree with all of these predictions.

(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

(2) Federated DRM systems, such as DECE and KeyChest, will not catch on.

(3) Content providers will crack down on online sites that host unlicensed re-streaming of live sports programming. DMCA takedown notices will be followed by a lawsuit claiming actual knowledge of infringing materials and direct financial benefits.

(4) Major newspaper content will continue to be available online for free (with ads) despite cheerleading for paywalls by Rupert Murdoch and others.

(5) The Supreme Court will strike down pure business model patents in its Bilski opinion. The Court will establish a new test for patentability, rather than accepting the Federal Circuit’s test. The Court won’t go so far as to ban software patents, but the implications of the ruling for software patents will be unclear and will generate much debate.

(6) Patent reform legislation won’t pass in 2010. Calls for Congress to resolve the post-Bilski uncertainty will contribute to the delay.

(7) After the upcoming rulings in Quon (Supreme Court), Comprehensive Drug Testing (Ninth Circuit or Supreme Court) and Warshak (Sixth Circuit), 2010 will be remembered as the year the courts finally extended the full protection of the Fourth Amendment to the Internet.

(8) Fresh evidence will come to light of the extent of law enforcement access to mobile phone location-data, intensifying the debate about the status of mobile location data under the Fourth Amendment and electronic surveillance statutes. Civil libertarians will call for stronger oversight, but nothing will come of it by year’s end.

(9) The FTC will continue to threaten to do much more to punish online privacy violations, but it won’t do much to make good on the threats.

(10) The new Apple tablet will be gorgeous but expensive. It will be a huge hit only if it offers some kind of advance in the basic human interface, such as a really effective full-sized on-screen keyboard.

(11) The disadvantages of iTunes-style walled garden app stores will become increasingly evident. Apple will consider relaxing its restrictions on iPhone apps, but in the end will offer only rhetoric, not real change.

(12) Internet Explorer’s usage share will fall below 50 percent for the first time in a decade, spurred by continued growth of Firefox, Chrome, and Safari.

(13) Amazon and other online retailers will be forced to collect state sales tax in all 50 states. This will have little impact on the growth of their business, as they will continue to undercut local bricks-and-mortar stores on prices, but it will remove their incentive to build warehouses in odd places just to avoid having to collect sales tax.

(14) Mobile carriers will continue locking consumers in to long-term service contracts despite the best efforts of Google and the handset manufacturers to sell unlocked phones.

(15) Palm will die, or be absorbed by Research In Motion or Microsoft.

(16) In July, when all the iPhone 3G early adopters are coming off their two-year lock-in with AT&T, there will be a frenzy of Android and other smartphone devices competing for AT&T’s customers. Apple, no doubt offering yet another version of the iPhone at the time, will be forced to cut its prices, but will hang onto its centralized app store. Android will be the big winner in this battle, in terms of gained market share, but there will be all kinds of fragmentation, with different carriers offering slightly different and incompatible variants on Android.

(17) Hackers will quickly sort out how to install their own Android builds on locked-down Android phones from all the major vendors, leading to threatened or actual lawsuits but no successful legal action taken.

(18) Twitter will peak and begin its decline as a human-to-human communication medium.

(19) A politican or a candidate will commit a high-profile “macaca”-like moment via Twitter.

(20) Facebook customers will become increasingly disenchanted with the company, but won’t leave in large numbers because they’ll have too much information locked up in the site.

(21) The fashionable anti-Internet argument of 2010 will be that the Net has passed its prime, supplanting the (equally bogus) 2009 fad argument that the Internet is bad for literacy.

(22) One year after the release of the Obama Administration’s Open Government Directive, the effort will be seen as a measured success. Agencies will show eagerness to embrace data transparency but will find the mechanics of releasing datasets to be long and difficult. Privacy– how to deal with personal information available in public data– will be one major hurdle.

(23) The Open Government agenda will be the bright spot in the Administration’s tech policy, which will otherwise be seen as a business-as-usual continuation of past policies.

Filed Under: Uncategorized Tagged With:

Will they ever learn? Hollywood still pursuing DRM

January 5, 2010 by

In today’s New York Times, we read that Hollywood is working on a grand unified video DRM scheme intended to allow for video portability, such as, for example, when you visit a hotel room, you’d like to have your videos with you.

What’s sad, of course, is that you can have all of this today with very little fuss. I use iTiVo to extract videos from my TiVo, transcoding them to an iPhone-compatible format. I similarly use Fairmount to rip DVDs to my hard drive, making them easy to play later without worrying about the physical media getting damaged or lost. But if I want to download video, I have no easy mechanism to download non-DRM content. BitTorrent gives access to many things, including my favorite Top Gear, which I cannot get through any other channel, but many things I’d like aren’t available, and of course, there’s the whole legality issue.

I recently bought a copy of Disney/Pixar’s Up (Blu-ray), which includes a “Digital Copy” of some sort that’s rippable, but the other ones are rippable as well (even the Bluray), so I haven’t bothered to sort out how the “Digital Copy” works.

(UPDATE: the disc contains Windows and Mac executables which will ask the user for an “activation code” which is then sent to a Disney server which responds with some sort of decryption key. The resulting file is then installed in iTunes or Windows Media Player with their native DRM restrictions. The Disney server, of course, wants you to set up an account, and they’re working up some sort of YouTube-ish streaming experiences for movies where you’ve entered an activation code.)

So what exactly are the Hollywood types cooking up? There are no technical details in the article, but the broad idea seems to be that you authenticate as yourself from any device, anywhere, and then the central server will let you at “your” content. It’s unclear the extent to which they have an offline viewing story, such as you might want to do on your computer on an airplane. One would imagine they would download an encrypted file, perhaps customized for you, along with a dedicated video player that keeps the key material hidden away through easily broken, poorly conceived mechanisms.

It’s not like we haven’t been here before. I just wonder if we’ll have a repeat of the ill-fated SDMI challenge.

Filed Under: Uncategorized Tagged With: