Cyberdiplomacy E-Book

Table of Contents

Cover

Dedication

Title page

Copyright page

Preface

1

:

Introduction

The Threat

Cyberdiplomacy vs Digital Diplomacy

Digital Diplomacy

Cyberspace and Physical Space

A Diplomatic Approach?

Notes

2

:

The Diplomat in Cyberspace

Diplomats and Soldiers

Who are Diplomats?

The International Community of Diplomats

Diplomatic Attributes

International Law

Diplomatic Socialisation

New Actors

Diplomacy in Cyberspace

Notes

3

:

Regulating Cyberspace

The Structure of Cyberspace

Internet Governance

Data Protection

Internet Content

Services

New Approaches to Regulation

Notes

4

:

Mitigating Cyberconflict

Cyberwar

Cyberespionage

Cyberterrorism

Information Warfare

Strategy in Cyberspace

The Cybersecurity Dilemma

Attribution

A Hobbesian World?

Diplomats and Cyberconflict

Notes

5

:

Business and Cyberdiplomacy

Companies and Geopolitical Risk

Cybercrime

Defensive Measures

Diplomatic Approaches

Regulatory Debates

Diplomacy and Regulation

Notes

6

:

Algorithms and Internet Companies

Big Data

Social Media Algorithms

Engaging with Internet Companies

Notes

7

:

Conclusion: Building Diplomacy Online

Notes

Index

End User License Agreement

Guide

Cover

Table of Contents

Begin Reading

Pages

ii

iii

iv

vi

vii

viii

ix

x

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

120

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

121

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

122

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

123

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

124

95

96

97

98

99

100

101

102

103

104

125

105

106

107

108

109

110

111

112

113

114

115

116

117

118

126

119

128

129

130

131

132

133

134

I dedicate this book to Jenny. Everything good or worthwhile in my life I owe her.

Cyberdiplomacy

Managing Security and Governance Online

polity

Copyright © Shaun Riordan 2019

The right of Shaun Riordan to be identified as Author of this Work has been asserted in accordance with the UK Copyright, Designs and Patents Act 1988.

First published in 2019 by Polity Press

Polity Press

65 Bridge Street

Cambridge CB2 1UR, UK

Polity Press

101 Station Landing

Suite 300

Medford, MA 02155, USA

All rights reserved. Except for the quotation of short passages for the purpose of criticism and review, no part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publisher.

ISBN-13: 978-1-5095-3407-4

ISBN-13: 978-1-5095-3408-1 (pb)

A catalogue record for this book is available from the British Library.

Library of Congress Cataloging-in-Publication Data

Names: Riordan, Shaun, author.

Title: Cyberdiplomacy : managing security and governance online / Shaun Riordan.

Description: Cambridge, UK ; Medford, MA : Polity Press, 2019. | Includes bibliographical references and index.

Identifiers: LCCN 2018037565 (print) | LCCN 2018040824 (ebook) | ISBN 9781509534098 (Epub) | ISBN 9781509534074 (hardback) | ISBN 9781509534081 (pbk.)

Subjects: LCSH: Internet governance. | Cyberspace. | Diplomacy.

Classification: LCC TK5105.8854 (ebook) | LCC TK5105.8854 .R56 2019 (print) | DDC 353.1/3028558–dc23

LC record available at https://lccn.loc.gov/2018037565

Typeset in 11 on 13 pt Sabon by Toppan Best-set Premedia Limited

Printed and bound in the United Kingdom by Clays Ltd, Elcograph S.p.A.

The publisher has used its best endeavours to ensure that the URLs for external websites referred to in this book are correct and active at the time of going to press. However, the publisher has no responsibility for the websites and can make no guarantee that a site will remain live or that the content is or will remain appropriate.

Every effort has been made to trace all copyright holders, but if any have been overlooked the publisher will be pleased to include any necessary credits in any subsequent reprint or edition.

For further information on Polity, visit our website: politybooks.com

Preface

I recently took part in a panel about the future relationship between diplomacy and science. A fellow panellist bemoaned the difficulties of achieving international agreement about how to govern the internet. He complained that the different actors had different motivations, different objectives and different ideologies; they even spoke different languages. I couldn't help replying: ‘welcome to the world of the diplomat.’ If all countries shared the same views on global governance in physical space, then we would not need diplomats. The same is true of cyberspace.

When the internet began, many argued that it would revolutionise international relations. In cyberspace there would be no borders. The power and influence of the Westphalian nation-state would be fatally undermined. Traditional diplomats and diplomacy would no longer be needed. Citizen ambassadors would talk directly unto citizen ambassadors. The internet has undoubtedly changed the context in which international relations play out. New governmental and non-governmental actors have been empowered by the new information communication technologies as they join the debates about new international security agendas. And yet the nation-state is still with us and recently has even grown in relevance. Far from being a flat, borderless realm, cyberspace has become another domain for geopolitical conflict, as well as debates and disagreements over international governance. Where there are geopolitical conflicts and disagreements over international governance, there ought to be diplomats and diplomacy. But oddly they are noticeable mainly by their absence.

There are three vectors in diplomacy: agency (who is the diplomat), process (the tools and techniques of diplomacy) and subject matter (the area to which diplomacy is applied). So far, in relation to the new technologies, the focus of both scholars and practitioners has been on process: the implications of digital tools for diplomats and how diplomats can use these to advance broader diplomatic agendas. There has been some good work on how digital tools can support consular work. But this is counterbalanced by an obsession with the use of social media to advance public diplomacy agendas. Ambassadors blog, first secretaries tweet, and third secretaries have pages on Facebook. Insufficient thought has been given to the implications of using social media platforms and search engines designed to monetise data to promote international debate. Only slowly is it dawning that social media platforms facilitate information warfare and frustrate public diplomacy. The very algorithms that ensure efficient monetisation of data weaponise information. They ensure that the fake news of information warfare reaches the echo chambers predisposed to believe it while limiting the reach of public diplomacy to those who are already in agreement. Diplomats and scholars need to raise their game.

This book focuses on agency and subject matter. It explores what it means to be a diplomat and, in particular, whether there is a diplomatic approach or way of dealing with the world. It then examines how such a diplomatic approach can be applied to the various problems arising in cyberspace, whether related to internet governance or the various forms of conflict arising from illicit penetration of foreign computer systems. So far we seem to believe that both kinds of problem can be resolved with technological solutions. The techies built the internet, so the techies can sort out the problems. This is profoundly mistaken. This would be the equivalent to leaving all international problems in physical space to the military. The military, like the techies in cyberspace, have their role, but stability is likely to be enhanced by having the diplomats along too. To put it another way, technical solutions are necessary but not sufficient.

My colleague on the panel on diplomacy and science was concerned about the debates on internet governance. There is a struggle for the soul of the internet between those who advocate the original vision of a free internet and those who support the idea of establishing government control under the jurisdiction of international governmental organisations. The negotiating skills of the diplomat will be needed to edge towards a compromise. On the same panel, we discussed the problems in distinguishing between different types of computer penetration. For example, penetration designed to gather information and monitor developments looks very like penetration in preparation for a future attack on critical infrastructure. How do you distinguish between cyberespionage and preparations for cyberwar? Being unable to do so increases the risks of conflict escalation, including in the physical world. Our conclusion was that there is a need for a better understanding of the motivations and intentions of the other side. Recent evidence suggests that humans are remarkably good at identifying intentions, providing they enjoy prolonged and repeated face-to-face contact. Repeated face-to-face contact with foreign politicians and officials – who on earth would do that? The cyberspace that was once thought to make diplomats and diplomacy irrelevant may instead be making them more important by the day, and they are carrying out very traditional-looking functions. Time for diplomats to stop messing with social media and get back to the serious stuff.

This book has arisen from conversations with a broad range of colleagues from across the diplomatic studies and international relations spectrum. Appropriately, many of these exchanges have been through Twitter (which is better for academic exchanges than diplomacy!), while others have been at workshops, especially those organised by Corneliu Bjola, Ilan Manor and Jennifer Cassidy at the Digital Diplomacy Project in Oxford. I have also benefited from participating in webinars with Jovan Kurbalija and Katharina Höne at the DiploFoundation in Geneva. Mikkel Larsen's wonderful #Digital Diplomacy podcast was another opportunity to bounce ideas around. My thinking on diplomacy in general has been developed through conversations over the years with Paul Sharp, Jan Melissen, Brian Hocking, Pedro Baños and Velina Tchakarova. In Madrid, Colonel Ángel Gόmez de Ágreda, formerly of the Spanish Cyber Command, read the entire manuscript and made detailed suggestions. My editors at Polity, Louise Knight and Nekane Tanaka Galdos, were endlessly patient and encouraging, and the anonymous reviewers offered constructive criticism. I am grateful to them all, with the caveat that any errors or misjudgements are mine alone. My mother and my sons Tom, Fergus and Rory encouraged (bullied!) me to finish the book, which is dedicated to my wife Jenny.

1 Introduction

The Threat

In January 2018 the British minister of defence, Gavin Williamson, warned that a Russian cyberattack against the UK's critical infrastructure could leave thousands dead.1 This may have been a bid to increase the defence budget, yet in May 2017 the Wannacry ransomware attack caused chaos in Britain's hospitals, as well as hitting corporate giants such as FedEx and the Spanish telecommunications giant Telefonica. The aim was criminal, freezing computers and then unfreezing them in return for a ransom payment in the digital currency Bitcoin, but it demonstrated the vulnerability of critical infrastructure.2 Cyberattacks against governments and companies appear to be continual, whether to steal data (including intellectual property) or money or in preparation for future attacks. Most are never reported in public, either because governments do not want to reveal sensitive information or because companies want to protect their reputations and share price. But enough does enter the public domain to reveal a digital space parallel to the physical space, where digital equipment and information interact, and where bad things are happening. The effect of these bad things is not limited to this digital space but can impact on the physical space. For example, when the Wannacry virus hit computers in British hospitals, blocking access to key data, operations had to be suspended and emergency units closed down. This put at risk the security and welfare of thousands of patients, even if this was not the initial intention of the hackers who had launched the ransomware attack.

So far, attacks against computers and other digital systems designed to cause real damage in the physical world (what the military refer to as ‘kinetic effects’) have been rare. The best known is the Stuxnet campaign against the Iranian nuclear enrichment facilities, especially the facility at Natanz. This allegedly joint US–Israeli operation, code-named Olympic Games, targeted the centrifuges essential to the enrichment of uranium, exaggerating their speeds until they broke.3 It is possible that the United States has also launched cyberattacks against North Korea's ballistic missile programme, provoking failures in missile tests.4 But, even if the number of cyberattacks with kinetic effects is so far small, the number of broader cyberattacks, and the range of state and non-state actors developing the capacity to launch them, is growing. These cyberattacks can be broadly categorised as cyberwar, cyberterrorism, cyberespionage and cybercrime. In cyberwar, state actors penetrate foreign computer systems with the aim of damaging the systems themselves, using them to create kinetic effects in the physical world or to prepare the ground to launch attacks in the future. In cyberterrorism, non-state groups penetrate computer systems with the intention of damaging the systems or using them to create kinetic effects. Interestingly, we have not yet seen genuine cyberterrorism. Terrorist groups such as Islamic State have undoubtedly recruited internet engineers, but their online activities have so far been limited to cybercrime (bank raids to raise funds) or online information warfare (see below). In cyberespionage, state and non-state actors penetrate systems to steal information (including personal data, data about capabilities and intentions, and intellectual property). In cybercrime, non-state actors (criminals) penetrate computer systems to generate financial income illegally. This might include straightforward theft (the Russian GameOver criminal network simply drained $6.9 million in a single attack) but also the stealing of information to blackmail companies or using ransomware (the same GameOver network is thought to have made over $1 million from ransomware attacks). These distinctions are not watertight. Governments may work with criminals, piggy-backing criminal attacks for cyberwar or cyberespionage purposes.

Apart from attacking computer systems, state actors can use social media and other digital tools to spread information and propaganda. Russia has been accused of using social media such as Facebook and Twitter to influence elections in the US and France and the Brexit referendum in the UK.5 Extremist groups use social media to increase social tensions, spread hate messages and recruit members. Concern is growing in the West about the use of social media to spread misleading or distorted information, or sometimes plain lies, increasingly referred to as ‘fake news’. Talk has begun of cyber information warfare.6 The EU has created a strategic communication task force (the EU East StratCom Task Force) to counter what it sees as misinformation being spread by state-backed Russian media. Sometimes the use of social media is combined with penetration attacks. During the 2016 US presidential election campaign, Russian hackers penetrated the computer systems of the Democratic National Committee, in particular the emails of John Podesta, which were then released through WikiLeaks. It is not clear what impact they had on the election result, but they did portray a Democratic candidate out of touch with the concerns of ordinary voters.

Cyberspace is a controversial term, with many different definitions. However, it captures the idea of a space parallel to physical space but closely interrelated with it, where digital information and equipment interact. As we have seen, what happens in cyberspace can impact on what happens in physical space. But what happens in physical space also impacts on cyberspace. In as far as cyberspace consists of digital information and equipment designed and built by humans, it is a man-made creation. Its shape and functioning are defined by human decisions, whether state or non-state actors. It grows with every new piece of digital equipment and application. The developing Internet of Things, where everyday household items, cars, and other machinery and equipment are connected to the internet, represents another significant expansion of cyberspace. Putting ‘things’ online in this way increases not only convenience and productivity but also vulnerabilities, both of individuals and of the system. The introduction of fifth-generation mobile telephony (5G) will represent another increase in connectivity and in the scope of cyberspace. But, as a man-made creation, cyberspace needs man-made rules to govern it. Internet governance may not seem as exciting as the cybersecurity issues outlined above, but it is crucial to how the internet and global society will develop in the twenty-first century. How the internet is governed will shape how, and in whose interests, cyberspace operates. The key issues reflect debates in physical space. Who manages the physical structure of the internet? How are online service providers to be regulated, and where do they pay their taxes? Shall the internet be global or national? What is the balance between freedom of expression and the control of extremism and hate speech? How can we protect privacy and individuals’ data, and what are the prices we are willing to pay in economic efficiency and security? How to combat fake news and manipulation of social media? At the core of these debates is a more general point that has nothing to do directly with cyberspace. How can we agree new international rules in a multipolar world where the old Western consensus on international norms and institutions has broken down, and where non-state as well as state actors play an increasingly important role?7

Cyberdiplomacy vs Digital Diplomacy

Diplomats have always been behind the curve in cyberspace. Concerns about security, and the obsession with secrecy, made them reluctant to use computers, let alone link up to the internet (the massive release to WikiLeaks of US diplomatic cables suggests that their fears may not have been misplaced). Most foreign ministries did not use emails until the turn of millennium. Since then a plethora of terms has entered the vocabulary as diplomats and scholars of diplomacy have played desperate catch-up. Most prominent have been digital diplomacy, cyberdiplomacy and e-diplomacy. These have often been used interchangeably, causing not a little confusion in the process. Some time ago I suggested distinguishing between digital diplomacy and cyberdiplomacy.8 I suggested that digital diplomacy should refer to the use of digital tools to pursue wider diplomatic objectives, and that cyberdiplomacy should refer to the use of diplomatic tools and mindsets in resolving, or at least managing, the problems in cyberspace. Thus digital diplomacy is the application of digital tools to diplomacy, whereas cyberdiplomacy is the application of diplomacy to cyberspace. Gradually this distinction seems to be catching on (with the term e-diplomacy slipping from common usage). These are the definitions I will use here.

This book will focus on cyberdiplomacy. It aims to explore how a diplomatic approach can help resolve or manage the cybersecurity, online information warfare and internet governance problems identified above. Much has been written about digital diplomacy, whether in books, academic journals or more popular blogs.9 The nature and importance of digital diplomacy has been, appropriately, much debated through social media. However, very little has been written about cyberdiplomacy (a paper written by André Barrinha and Thomas Renard in Global Affairs sets out the key challenges).10 In part this reflects a prejudice that sees cyberspace as so different and separate from physical space that only technical solutions apply. If cyberspace is where digital equipment interacts with digital solutions, then digital solutions must be found for the problems that arise there. But in this book I will argue that, as cyberspace is as much a human creation as physical space (in many respects more so), non-technical approaches must accompany technical solutions. Relying only on technical solutions to resolve the governance, security, criminal and espionage issues arising in cyberspace is equivalent to relying only on military solutions in physical space. Cyberdiplomacy must complement technical measures in cyberspace just as diplomacy complements military measures in physical space.

This book will not ignore digital diplomacy completely. Digital diplomacy will feature through offering digital tools which cyberdiplomacy can deploy in pursuing its broader objectives. In this sense, as in many others, cyberdiplomacy is little different from ordinary diplomacy. It is distinguished primarily by being applied to cyberspace rather than the physical space. A theme that will be explored in this book is how much difference that really makes and the extent to which cyberdiplomacy should be integrated within broader diplomacy. Digital diplomacy will also feature through the problems associated with it, or which it provokes, and which may require the help of cyberdiplomacy to manage. The extent to which digital tools are used in public diplomacy to counter information warfare risks escalation to an online free for all which might require cyberdiplomacy to de-escalate. Alternatively, cyberdiplomacy may be deployed to negotiate new norms to restrain online behaviour by state and non-state actors, helping to manage the problem without escalation. Digital diplomacy will also be affected by many of the issues on the internet governance agenda. For example, the debates on data protection at national and international level may limit the use foreign ministries can make of Big Data, whether in intelligence gathering and analysis or in providing targeted consular protection and support for distressed citizens abroad.

Digital Diplomacy

Digital diplomacy has compounded its own problems through an excessive focus on social media as a means to influence and assess foreign public opinion, a dependence which has led both to an online presence being seen as an end in itself and to less attention being paid to other, possibly more useful, digital tools. The disconnect between digital diplomacy and broader diplomatic strategies has been particularly limiting, with many diplomats having no clear idea why they are using particular social media.11 Many fail to understand the distinctions between different platforms, with Twitter more effective for immediate comment and reaction and Facebook and LinkedIn for more thoughtful attempts to influence opinion. Twitter poses particular problems for diplomats. It requires very short reaction times, with comments or replies to tweets having to be almost immediate to be relevant or have impact. There is no time for a diplomat in an embassy to consult with her foreign ministry before responding. Being effective on Twitter, as opposed to just using it as a means for publishing pithy press releases (which is what most foreign ministries do), requires delegating the authority to the diplomat in the field to tweet and retweet without reference to his ministry, or even his ambassador. Few foreign ministries have shown themselves willing to do this.

Social media such as Facebook and search engines such as Google pose their own problems for diplomats. The algorithms which drive them are designed to maximise marketing revenues by shaping what you receive to what can be deduced about your tastes and interests. This means that adverts on Facebook will be for products you are most likely to buy. But this also means that the friend proposals and the news you receive will also be filtered towards your known opinions and tastes. As we will discuss later, this reinforces the tendency towards echo chambers, where we socialise online only with people like ourselves and only listen to news and opinions which reinforce our existing prejudices. On the one hand, this is taken advantage of by state and non-state actors using social media to spread misinformation and fragment foreign societies. On the other hand, it limits diplomats depending on social media to speaking only to those who already agree with them. While reinforcing the support among like-minded supporters is no doubt useful, public diplomacy should surely seek to reach out to those who disagree as well. Dependence on social media for public diplomacy makes this difficult to achieve. The problem is compounded by the algorithms behind search engines, which condition and prioritise the search results produced. In 2016, far-right groups gamed Google's algorithm so that a search for ‘Did the Holocaust happen?’ produced a series of Holocaust denial sites. A major task for cyberdiplomacy may be convincing social media platforms to share more details of their algorithms.12