We’ve been focused on the wrong spies. When 11 Russian sleeper agents were discovered living in the United States—and then sent home in exchange for their counterparts—it was hard to resist the sexy espionage tale with echoes of the Cold War. But while we’ve fixated on Anna Chapman and her cohorts, top diplomats were working on a wonkier but more important advance in spycraft. This month, experts from 15 countries agreed to begin serious negotiations on establishing international norms on cybersecurity. This story is far more significant in the long run because, without basic agreements about cyberspace, cyberattacks, and even cyberwars could become a daily danger.
Sure, spy stories are irresistible—particularly when a sexy redhead like Chapman is involved and there are plenty of racy photos to titillate readers. It’s also true that the press may have been too quick to write off the Russian sleeper agents as a bunch of bunglers who accomplished nothing. We don’t know what support roles they may have had for more serious operations; human intelligence can still trump electronic spying in many situations, and spying will always be with us.
But, increasingly, international relations will be shaped by new challenges that require new tactics—and new assumptions about where we can and should cooperate, even with former enemies. Look at the United Nations group of experts that overcame at least some of their mutual suspicions to take a first step toward international cooperation on cybersecurity last week. After years of talks that went nowhere, they—United States, Russia, China, India, and several others—agreed to begin discussing ways to exchange information about national cyberstrategies, strengthen protection of computer systems around the world, including in less-developed countries, and even set some ground rules on cyberwarfare. Other nations in attendance may not be G7 economies, but online they are powerhouses: Israel, Brazil, South Korea, and Estonia.
The idea that Russian and Estonian experts, in particular, could join forces to issue cybersecurity recommendations would have sounded absurd until recently. Just three years ago, Estonia was the target of a massive cyberattack, which now is held up as Exhibit A when it comes to cyberwarfare. The Estonians, and much of the rest of the world, were convinced that this was an attack orchestrated by the Kremlin in retaliation for Tallinn’s decision to remove a World War II memorial honoring Red Army troops. Moscow and local Russians were furious about this “desecration,” and there were violent clashes in the streets. Although the Russian authorities denied any involvement, the concerted cyberattacks on Estonia’s government and private-sector Web sites, designed to cripple the country’s digital infrastructure, certainly looked like angry and organized retaliation.
What’s changed? Those hard feelings haven’t disappeared, but there’s a growing realization that no country can protect itself from cyberattacks on its own. One key problem is attribution—the inability to definitely pinpoint the source of an assault. Terrorists, criminals, and political groups can now launch sophisticated salvos using “botnets”—armies of computers around the world that they have commandeered without the knowledge of the people who own those machines. That makes it hard to prove—and easy to deny—any state’s role in a specific cyberattack. And it makes everyone and everything, including critical infrastructure such as transportation and electricity grids, vulnerable.
That’s why not just Estonia but also the United States is increasingly interested in finding a way to work with Russia and the other key players. It won’t be easy. For more than a decade, Russia has pushed for a broad international cybersecurity treaty to establish norms on these issues. As in the case of China, Washington and many human-rights organizations have opposed anything that looked like an excuse to limit political freedoms on the Internet—and to track dissidents. The latest compromise language suggests that the Obama administration wants to find a formula to address common security concerns while skirting such disagreements. Some experts argue that countries, like individuals, could join protected Internet networks, where all communications are sourced. That would go a long way toward instituting a system of deterrence, since cyberaggressors inside these networks would be instantly identifiable. There could still be a larger, more Wild West-style Internet, but anyone operating there would be doing so at their own risk.
It’s hard enough for each country to come up with its own coherent national cyberstrategy. President Obama has called this a high priority, but The Washington Post’s “Top Secret America” series last week vividly demonstrated how unwieldy the U.S. national-security apparatus has become, especially since the terrorist attacks on September 11, 2001. According to the report, some 1,271 government organizations and 1,931 private companies are involved in counterterrorism and other national-security programs; an estimated 854,000 people hold “Top Secret” security clearances. That whole world is dependent, of course, on the most modern, complex computer communications. Yet top intelligence officials openly admit that they haven’t been able to produce a coherent set of policies, including a way to organize responses to cyberwarfare. “Frankly, it hasn’t been brought together in a unified approach,” CIA Director Leon Panetta declared in the Washington Post series.
Take that problem and add the complexity of coordinating cybersecurity measures on the international level and you begin to see the magnitude of the problem. But in the virtual world where national boundaries are often meaningless, international cooperation on cybersecurity isn’t a choice; it’s a necessity. We’re especially vulnerable to this kind of attack: imagine 24 hours when your computers at work and at home would be out of service, when you can’t get money from your ATM, when electricity stops flowing, when planes stop flying—you get the picture. Everything depends on computers these days, and everything can be targeted.
Our near-total digital dependence underpins the governmental, financial, economic, energy and every other structure. If we can’t build the kind of safety measures that are so desperately needed into this virtual world that is no longer separable from our physical world, we are all in trouble. In that case, even spicy tales of female spies won’t be enough to distract us from the consequences.
Nagorski is vice president and director of public policy at the EastWest Institute and the author of The Greatest Battle: Stalin, Hitler, and the Desperate Struggle for Moscow That Changed the Course of World War II. He wrote this article for NEWSWEEK’s Polish edition, NEWSWEEK Polska.