Christopher Painter is the US State Department's coordinator for cyber issues. (Defense News staff)
The US is in discussions with Beijing about the increase in malicious cyber traffic emanating from China. Itís part of a push by the Obama administration to grapple with the policy issues that have grown in significance as cybersecurity becomes integrated into nearly every aspect of civilian and military life.
Chairing those talks for the US is the State Departmentís Christopher Painter, a former senior director for cybersecurity policy at the White House. The second round of dialogue is set for the fall. Although there will be policy issues that canít be ironed out, the effort to improve cooperation and help define the difference between types of cyber attacks and intrusions is critical, Painter said.
Q. What do you think can be accomplished by the China working group?
A. The two areas are the threat area, and the president has been very clear in terms of the concerns that he has, you need to be able to raise those concerns and have a sustained dialogue, not just being able to raise these once a year. But we also need to have a sustained dialogue on how we can build better connections and transparency so that we can find ways to work together. For example, can we find a way to work together on the third party threat? Thatís important. That will build confidence, but it will also help us be safer.
Can we have discussions about what norms should be in cyberspace and hear them out, too? That helps build a stronger relationship over time. Look, this was the first meeting. Weíre going to have another meeting before the end of the year. Weíre also going to have intercessional discussions. I know Iíve been to China more than any other country since Iíve taken this job.
Q. Do you have any concern that the issue with Edward Snowden or any incident like that could harm the dialogue?
A. Iím not going to address the Snowden thing, but what Iíll say is this: I think a lot of countries want to discuss these issues because particularly the cybersecurity issue, but also cybersecurity governance and other issues in cyberspace, theyíre recognizing how important this is to their own development. I do believe that weíre going to continue having really good dialogues on this. But Iím also not Pollyanna-ish. There are a lot of challenges. Thereís not just the tactical threats but also the policy threats, and by those I mean different views on the future of cyberspace.
Will existing law be enough to regulate the cybersecurity domain, or are additional treaties or agreements needed to establish rules of the road for cybersecurity?
A. I guess from my perspective it certainly has some challenges, and the challenges are that people tend to think of cyberspace largely erroneously, as something thatís completely different from the physical. There are lots of areas, including the areas of potential cybersecurity conflict, where the rules that we used in the physical world for years, especially rules like the UN Charter and the Law of Armed Conflict, apply in cyberspace just like they do in the physical world.
So I think itís important to think of cyberspace as not being so separate and apart from the physical world that it requires a whole legal structure, or a whole new conceptual structure. That said, there are some differences in cybersecurity, and there are some things in terms of multi-stakeholder systems and management.
Q. How are countries grappling with cybersecurity policy issues, and does it impact international dialogue?
A. If you look maybe even as little as five years ago, certainly 10 years ago, this wasnít on the policy agenda of virtually any country. Indeed, when you went to talk about cybersecurity on the senior policy level, most people viewed it as a technical issue and not a policy issue. And I think thatís changed dramatically here in the US, evidenced in part by the creation of this office, but also with the coordinator at the White House, at [the Defense Department], at DHS [Department of Homeland Security], at [the Justice Department] and commerce. I think weíve arrived at the fact that lots of other countries are now thinking about this and have elevated them within their governments in terms of having national cybersecurity strategies put together, and in terms of having senior policy folks who play in this arena often, increasingly now at foreign ministries. There are probably now 10 counterparts to me around the world, which is a good thing because that elevates the discussion and policy issue, and grounds it in the reality that itís not just this technical issue, itís a policy area.
Q. You said the US believes most cybersecurity issues fall under existing laws. Do you feel that opinion is shared by your counterparts in other countries, particularly China and Russia?
A. There was a significant consensus reached in the UN Group of Government Experts. The group includes countries like China, Russia, the US, the UK; there are 15 countries overall. One thing that they said in the final report, which still has to be issued to the UN structure, was that international law, including the UN Charter, Law of Armed Conflict, etc., applies to cyberspace.
How you apply these concepts of international law to cyberspace, thereís still a lot of work to do. Weíve done that work with other technologies over time.
Q. How do you improve the dialogue to work through some of those issues?
A. One of the breakthroughs there is the president announced these bilateral confidence-building measures with the Russian Federation, which are the first of their kind in cybersecurity anywhere. Theyíre not rocket science, they are having a hotline, thatís a good transparency measure. This is something familiar in the non-cyber world, but hadnít really been applied in the cybersecurity world. If you have transparency measures that make countries more comfortable dealing with each other, you build on those cooperative measures where they may be cooperating against a third party threat, for instance.
Q. How are you approaching tackling the issues of botnets or other third-party attacks or intrusions?
A. One thing weíve done is working very closely with DHS, as DHS reaches out through their technical channels as they often do, and say, ďWeíre seeing this; can you help?Ē Weíve tried to marry that with a diplomatic out≠reach, where weíll go at a diplomatic level either to their foreign ministries or to other levels of government and say, ďLook, this is not just the ordinary technical request. We really would like your help here to try to build this greater norm of cooperation against these threats.Ē
Q. One of the difficulties is trying to separate third-party intrusions from attacks, and other variants of cybersecurity malfeasance, creating clear dividing lines. Do you think thereís international consensus about where those divisions are?
A. .The two major threat concerns that weíre facing right now are things like denial-of-service attacks. Thatís sustained, but itís not going to be debilitating. But thatís an attack. But you donít use the attack term for an intrusion. Itís not an attack, itís an intrusion. We always try to be very precise.
But then you have the intrusion activity, and the intrusion activity is also incredibly serious and is more and more so being viewed that way because of what is being taken is trade secrets and business and proprietary information. When you think about what really matters, obviously infrastructure matters, we care about that, obvious financial institutions matter. But also if all your trade secrets are going out the window and could be used to capitalize later on, that really drains the life blood out of the economy.
In all those cases, you donít necessarily know what the event is when you see it. It could be a criminal actor, it could be another kind of actor, and the first [priority] is to have good defenses in place, or better defenses than weíve had. But you also have to have a response, and thatís why law enforcement is so key.
Q. Youíve been working on bilateral agreements with several countries. Is that process helping to shape their national cybersecurity policies?
A. The interesting thing is for those, itís not just State Department to foreign ministry. It is us and defense people and our economic people from commerce and our homeland security folks. Itís really the suite of different players. And that means that they bring those people to the table, and thatís very helpful as they think about their positions.
Q. Weíve had espionage for as long as weíve had governments, but is there something different about the type of intrusions weíre seeing now?
A. There is a distinction when you have targeted activity that is intrusions thatís taking commercial information and the commercial information is being used for commercial purposes. Thatís something that the US doesnít do. Thatís one of the norms that weíre very serious about advancing, that thatís not something we should be doing
I do think there is some distinction between various types of activity. At the same time when I say thereís a difference between intrusion and attack, itís because people sensationalize computer attacks, even this idea of cybersecurity war. But in fact, when you look at what weíre really experiencing, a lot of it is the intrusion activity.
I mentioned that you had senior policymakers thinking this was a technical issue, but once you got beyond that you had people saying itís a security issue. When this was seen as also an economic issue, which it now is, that really moved things within the government too.