Secretary Of State John Kerry On "An Open and Secure Internet"

Herb Lin
Tuesday, May 19, 2015, 1:38 PM
Secretary of State Kerry just gave a speech in Korea (May 18, 2015) entitled “An Open and Secure Internet: We Must Have Both.” In this speech, he reiterates the U.S. position that “the basic rules of international law apply in cyberspace. Acts of aggression are not permissible.

Published by The Lawfare Institute
in Cooperation With
Brookings

Secretary of State Kerry just gave a speech in Korea (May 18, 2015) entitled “An Open and Secure Internet: We Must Have Both.” In this speech, he reiterates the U.S. position that “the basic rules of international law apply in cyberspace. Acts of aggression are not permissible. And countries that are hurt by an attack have a right to respond in ways that are appropriate, proportional, and that minimize harm to innocent parties.” He goes on to say that the United States also supports a set of additional principles that, “if observed, can contribute substantially to conflict prevention and stability in time of peace. We view these as universal concepts that should be appealing to all responsible states, and they are already gaining traction.” He says:
First, no country should conduct or knowingly support online activity that intentionally damages or impedes the use of another country’s critical infrastructure. Second, no country should seek either to prevent emergency teams from responding to a cybersecurity incident, or allow its own teams to cause harm. Third, no country should conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain. Fourth, every country should mitigate malicious cyber activity emanating from its soil, and they should do so in a transparent, accountable and cooperative way. And fifth, every country should do what it can to help states that are victimized by a cyberattack.
For this blog post, I’m interested in the first principle: no country should intentionally damage another country’s critical infrastructure through online means. Several things are striking about Kerry’s articulation of the principle. 1 – It is not limited to activities undertaken in peacetime. That would seem to rule out of cyberattacks on critical infrastructure even during war. Since U.S. military doctrine asserts the right under the Geneva conventions to target war-supporting infrastructure, I have to wonder – has Kerry’s statement narrowed the range of cyberattack options available to the U.S. military during war? 2 - It does not say anything about non-cyber activities that damage another nation’s critical infrastructure. Perhaps that’s not surprising in a speech on cyberspace, but the lack of comment on this point stands out to me. 3 – Is his statement of these principles meant to bind the United States? Is he asserting that we are (or will be in the future) abiding by these principles? His speech is silent on this point. As for the example that everyone will use to illustrate American hypocrisy – Stuxnet – I reject that claim categorically. There is no sense that the Iranian nuclear enrichment program counts as "critical infrastructure" in the usual meaning of the term as “vital to the functioning of the nation.” (Never mind that under U.S. law, even Sony was considered “critical infrastructure” – another bastardization of the plain English meaning of the term.)

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare