Thursday, September 22, 2011

4 Problems with China and Russia's International Code of Conduct for Information Security

The International Code of Conduct for Information Security proposed to the U.N. Secretary General by Russia, China, Tajikistan and Uzbekistan superficially sounds great but contains some critical flaws in its language. My recommendation is that the U.S. and its allies reject it. Here's why:

1. It does not support the most effective strategy we have in combatting cyber attacks: international cross-border law enforcement. Instead, in sections 1 and 5 it strongly supports territorial integrity and the sovereign right of States to protect their own Information space.

2. It only supports international cooperation when there's a threat to its power base by dissident political extremists or terrorists (section 3). Both Russia and China have been monitoring the "Arab Spring" in the Middle East and Northern Africa with great concern and are implementing national policies which arm their own security services with tools to detect and prevent a similar occurrence within their own borders.

3. Section 6 allows it to continue national policies related to censorship while at the same time promoting the freedom to search, acquire, and disseminate information. While there's universal consensus that some topics are so egregious that they should be illegal (e.g., child pornography), China's Great Firewall goes far beyond that.

4. Nowhere does this document address the activity that favors the Russian Federation and Peoples Republic of China the most - cyber espionage. It does, however, specifically ban the proliferation of "Information weapons and related technologies", which is nothing short of hypocritical since both the RF and PRC are actively involved in standing up their own IW commands similar to US CYBERCOM.

In my opinion, this document is a red herring and is part of an overall strategy of mis-direction by China, Russia and the two former states of the Soviet Union. I hope that U.N. member states and relevant international organizations will read it with a critical eye and not embrace it without conducting an informed debate on what it does and doesn't actually say.


  1. Dear Mr Carr, I think your blog became very interesting. Your opinion on this topic is very understandable if you are on behalf of US official policy. But if you want to achieve more objective international standpoint, these countries are very constructive. Great Chinese firewall is lesser peril to civil society than Einstein 3 or Echelon system. I do not mean only on domestic population, yet on international too. There were several EU official resolutions on that issue. Tom Glutjen from wrote a year ago two good stories on this subject.
    Russia and China deservedly worry on usage of Internet services as a information weapon. There were many similar situations. Cyber space activities are most distinct examples of such information operations between states. In every such situation US is main “attacker” (Iran, Burma, maybe some Arab countries etc). It is even official US international cyber policy. But, policies are about state ideology, not technology and law. Moreover, direction of such information operations in cyber space one day can be inverted and than will be very interesting to see US official reactions. The main issue of this topic is that - misuse of cyber space for information operations. Of course, there is no effective solution without absolute identification both of digital content on packet level and attackers. The same situation is in case of identification lack of hacker when they vage attack on critical infrastructure in US or in any other way. Famous Chinese cyber spy operations does not mean they are badly aggressive against US, but more they are not effective as US cyber spy operations against China. And we know who is main leader in that field in the World.
    Very interesting US and Russia common attempt on international cyber security regulation is EastWest Instutute cyber peace project, which has brightly future, I hope so.
    So, if you are US patriot, Russsia and China's Internationa Code of Conduct for Information Security is not good proposal, but in international point of view, it is best than US 11 year old rejection on any agreement in that field and "do nothing but cyber self arming" policy.
    Your recent posts on complex cyber war were very interesting. Can you post more on that topic?

    Best regards, Dragan Mladenovic, Serbia

  2. Dragan, thank you very much for your comment and contrary point of view. I wish that more individuals like yourself would feel free to engage in this type of discourse.

    You are correct, of course, that I'm writing as a U.S. citizen and a patriot so I'm clearly biased. However, I have also defended China when that nation is attacked as an aggressor without any clear evidence and I have criticized some high-ranking U.S. officials in the U.S. government and the Dept of Defense who I believe are too aggressive with their positions on cyber warfare. So while I have a bias, I also try to be fair-minded.

    I'm glad that you enjoyed my writings on the complex domain of cyberspace and cyber warfare. I have expanded my thinking about that in the 2nd edition of my book which I hope will be published by the end of the year.

  3. The key to this whole discussion is that the Chinese want to focus on "information security" while much of the West want to focus on "cyber security". While cyber is broadly about protecting networks from intrusion and attack, the Chinese perspective on information security is about protecting content from intrusion and attack. Translated into the real world, that means being able to control the information your citizens have access to and can disseminate.

    Of course, I would expect if the US proposed its own code of conduct, it would also formulate the agreement to be in its own self interests.

    That's the name of the game.

  4. Exactly, Brian. National self-interest drives all of these discussions. That's pretty much each government's job, I think. :-)

    Regarding the terminology, information security is used by all countries. Cyber warfare is almost exclusively a Western term. Russia and China both use Information warfare but they mean exactly the same thing that we do when DoD is mapping out its cyber warfare strategy.

  5. Yes, that are two spheres on information security, two different approach which depends on national interests. But, technically, that are not the same things. More or less, IO primarily effects are cognitive and social influence on group of people or whole nation via or through cyber space (suitably for action on “less democratic” societies) and another is about technical provided operations which direct effects degrade or destroy information systems and dependant assets (with possible kinetic secondary effects on them, suitable for attack on more “cyber dependant nations”). In my opinion, IO are more dangerous than Stuxnet or GhostNet nowadays, because its effects can be more horrible (Colin Powell speech in UN on weapons of mass destruction in Iraq before US attack, Libya “uprising”, Serbia operation and so on, not only US IO of course).
    Public opinion in US today stands that China want to recapture leading super power position in the World. Almost everything is on China. But I think it is not correct notion. Russia has much stronger capabilities for cyber attacks. And China maybe do not want it to gain World supremacy at all. Their practice is much cleverer.
    Technology can be both good and very danger. It is not possible to prevent US government to stop do IW operations, because you can’t prevent information flaw in cyber space. And contrary. You can imagine situation when any small group of people can be able to make a mini nuke and to use it anywhere. Complex World security and social system will be pushed into chaos. It will lead to end of humanity. And that moment is so close. So World need some agreement. It is no time to make a cold war again. World is to small nowadays for that. Is is urgent need both for US, China, Russia or anybody else. Asymmetric treats like terrorism or cyber warfare can not be stopped. While hunting eastern nations by Smart Power, US foreign policy can be hunted by terrorism and their own technology.
    Attribution is main goal of any future cyber agreement. But it is not possible at large. So, states must carry out much more control in cyber space. Rights asks for duties. And that is the key.