Cyber – Boundless Nonsense

In the Cyber industry, there is much to gripe about. We have a lot of very vocal experts out there, and roughly the same amount of opinions as there are experts. Most of the times, the differences of opinion are really just people being pedantic (or clueless) and while this is a detriment to the entire industry, we have bigger fish to fry. Some notions out there are just plain wrong, and they lead to really poor laws or national policies. If you’ve read any of my previous articles, you may know that when I go off on a tangent, my rants usually involve people who claim cyber warfare doesn’t exist. But the pundits have been strangely quiet on this topic lately, and so it leaves my hands free to chase another topic that’s been bothering me lately. Quite frankly I’m a bit surprised that I haven’t seen more articles on this subject, but here we go anyway:

Cyberspace is NOT without borders. Cyberspace DOES have boundaries.

As any IT person with a basic education in networks & systems will tell you, networks are made by connecting physical networking devices. These devices obviously occupy a physical space somewhere, making them susceptible to the national (and possibly international) laws of the country they are in. You can even configure most networking devices to only service a subset of internet traffic or, and this is especially relevant in this context, deny service to internet traffic involving certain geographic regions. In other words: if you run a country that is geographically wedged in between two countries that are at war with each other, you CAN opt to cease routing their internet traffic. It may not be easy, and it may not be politically useful, but it is certainly not impossible. Back in 2007 during the cyber attacks on Estonia, the responders actually mitigated much of the barrage of DDOS attacks arrayed against them by dropping large portions of international internet traffic.

The question is: What is neutral behavior in the context of cyber warfare? Are you, as a neutral country in the scenario described above, obliged to drop all traffic between these two nations that crosses your national networks? And if you’re not, are you obliged to make sure none of the cyber attacks are originating from compromised systems within your borders? Given the stakes involved, you may want to do that anyway. Simply dropping traffic might be easier though.  But what if dropping traffic from either side gives offense or is considered a hostile act? This can quickly develop into a political conundrum either way.  There is no official “right answer” yet, so for now governments will have to decide this on their own.

A more interesting question is: What constitutes our digital territory online? Our geographical borders are usually quite well defined, but 90% of the hardware on which the internet is built, is commercially owned and maintained. Would this mean that networks owned and operated by foreign companies are to be considered foreign territory? Does this automatically make them susceptible to the laws of the country that they originate from or registered at? But what about networks that aren’t owned by any official entity? And what about wireless networks? How would you treat areas that are covered by multiple wireless access points? If you look at the way territorial borders are handled by governments in physical space, I see no reason to treat cyberspace differently. In fact it’s probably a much easier approach to just declare the entire electromagnetic spectrum inside national borders as national territory than to figure out some new approach “just because it’s cyber”. You can even re-use the notion of Extraterritoriality or the special privileges as described in the Vienna Convention of Diplomatic Relations [PDF Alert].  Considering how international collaborations against cybercrime is currently being approached, we’re actually pretty much doing this anyway.

In conclusion, I would ask that experts and organizations such as RAND [PDF Alert],  Margaret Chon (Seattle University School of Law), NCCIC  and the Stanford Law Review (just a random grab) either develop a better understanding of cyberspace or be more clear about what they mean. In all fairness, I haven’t read the complete works of all these authors. They may actually understand what I just covered and if you read closely enough, they might not even be (technically) wrong. Nevertheless they give off the sense that cyberspace doesn’t have any borders and this is simply a poor representation of reality. The differences between Cyberspace and Physical space are not so big that we need to reinvent the wheel for every policy, law or process we have.  Let’s be sensible and re-use what we already have.