Podcasts
Caveat
Ep 56
Caveat 12.2.20
Ep 56 | 12.2.20

Defining digital sovereignty: there's no such place as cyberspace.

Show Notes
Transcript

Robert Carolina: How do you calibrate a noncyber response to a cyber intrusion?

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland's Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben has the story of Amazon allegedly spying on warehouse workers. I have an overview of how cyber policy may play out in a Biden administration. And later in the show, my conversation with Robert Carolina. He's general counsel for the Internet Systems Consortium and a senior visiting fellow in the information security group at the University of London. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's dig in with some stories here. Why don't you start things off for us? 

Ben Yelin: This is a fascinating one, Dave. It comes from Motherboard on VICE. And even though Joseph Cox did not write this article, I did find it through his Twitter account. 

Dave Bittner: (Laughter). 

Ben Yelin: It was actually written by Lauren Kaori Gurley. And it's about a secret document obtained by Motherboard indicating that Amazon surveils labor and environmental groups, and they engage in some - what amounts to union-busting activities through this surveillance. So to unpack it a little bit and just to add a little bit of context, this largely happens in Europe, and one of the reasons it's more prominent in Europe is they just have a culture that respects organized labor more than we do in the United States. I don't know if you know this, Dave, but we've kind of perfected union busting in the U.S. 

Dave Bittner: (Laughter) Well, you know, I know - I think about my grandfather, who was a union steelworker his whole life and, you know, started sweeping the shop floor at 17 and retired at 65 with his gold watch, you know, foreman of the melt shop. But I think about how someone like that who graduated high school, didn't go to college but was able to raise a family, have a nice home in the suburbs because of a union job, and it seems to me like those jobs are few and far between these days. 

Ben Yelin: Yeah. I mean, that was the American dream. That's absolutely true. Over the past 40 years, for a variety of reasons, especially in the private sector, just as a country, we've decided to make it a policy to make it very difficult to organize, very difficult to form unions and very difficult to sustain them. Europe has had more luck. I mean, there's been some of a movement there at union busting, but their organized labor infrastructure is more robust. 

Ben Yelin: And that's more of a concern to Amazon, which has a large presence in Europe. They, of course, are very concerned that their employees will try to organize, will try and unionize. And so what Amazon has been doing is using electronic surveillance techniques to try and stop union organizing activity before it starts. So there are a couple interesting elements to this. One is that they are using the Pinkerton operatives, the spy agency that's known for union-busting activities - also the most overrated Weezer album, but I will save that for another day. 

Dave Bittner: (Laughter). 

Ben Yelin: So they obtained these emails that show the sophistication of these efforts to spy on workers across these fulfillment centers in Europe. So these Pinkerton operatives will create false social media accounts with no photos and try to ingratiate themselves with employees, people who work at these fulfillment centers, to try to get insight as to what's going on there. 

Ben Yelin: So, you know, they'll get regular updates and send them back to global headquarters on whether somebody has been trying to organize in a factory, the number of participants in an event that promotes union organizing - the time, the location that took place. You know, if they hear anything about a strike or distribution of leaflets, that'll be reported. And Amazon basically has an entire intelligence agency, an internal intelligence agency, that monitors this and, you know, tries to take action on the basis of the intelligence that they're gathering. 

Ben Yelin: They talked about one instance where they had to enhance monitoring because the leader of - the former leader of the Labour Party in the United Kingdom, Jeremy Corbyn, was set to go to one of these Amazon fulfillment centers. And, you know, he's a very prominent left-wing politician, so they assumed that he would be discussing efforts to organize. And so they kind of put their surveillance on overdrive to try and get some insight as to what was happening inside that meeting. 

Ben Yelin: These documents just came out. They were released to Motherboard, and Motherboard tried to elicit actions - or try to elicit responses from policymakers both in the United States and in Europe. They got some statements from some left-of-center politicians of the United States saying that this potentially violates some of our national labor relations laws. And this is something that the NLRB, our National Labor Relations Board in the United States, should look at. 

Ben Yelin: And there was a similar reaction among politicians in the European Union. The European Parliament has a lot of privacy, data privacy advocates and also supporters of organized labor who are apoplectic at seeing these documents. I think they've anticipated for a long time that this was going on. But to see how detailed the effort is and how many resources Amazon is putting into these surveillance efforts, I think, made them even angrier. So my only question here is, what is our recourse here? What does the United States government and the European Union actually going to do? And is Amazon actually breaking any laws? 

Dave Bittner: Right, right. Well, that's my question, is - because I think, first of all, I mean, using the word spying - that's a charged word, right? 

Ben Yelin: Yes. 

Dave Bittner: I mean, wouldn't Amazon say, we're simply gathering information, you know, it's good for us to have our ear to the ground? You know, it's - we need to know what our employees are thinking so that we can best create an environment. 

Ben Yelin: Yeah, best serve their needs, yeah. 

Dave Bittner: And I think they can make this argument, and there's a certain point of view that would say that from a business point of view, it's in their best interest to do so. So as long as it's not illegal, what's the problem here? So I guess the question is, is it illegal? 

Ben Yelin: I don't think it is. Now - and I say that as somebody who is generally very supportive of organized labor and is kind of - not disgusted by this effort because I think it's something that I would've expected, but certainly look upon something like this disfavorably. 

Dave Bittner: Right. 

Ben Yelin: I think workers have rights as it relates to organizing. They're more limited in the United States than they are in the European Union. But employers have rights to monitor the operational nature of their own companies. 

Ben Yelin: You know, so you'll see that in workplaces across the United States that are monitoring personal computers to see, you know, if people are wasting time during work hours, even, like, some high-profile businesses who have done video surveillance. We've had a couple of segments on this podcast about companies that have innovative ways of tracking how employees are wasting their time on the job. 

Ben Yelin: So I think companies do have this vested interest in gaining knowledge of how operations are going at their own facilities. And, you know, I just don't see that there is much legal recourse against one's employer from an employee. I also don't know what the employee contracts say. I think that could have a big impact here. 

Ben Yelin: What Amazon seemed to indicate, at least in response to this article, is they follow all applicable laws in conducting the surveillance and in their enforcement mechanisms. And I tend to believe that with the amount of resources Amazon has and the fact that they don't want to expose themselves to liability, they have probably dotted the i's and crossed the t's on this. 

Ben Yelin: So, you know, they've probably looked at contractual language where perhaps, in signing employment contracts, workers have been made aware, at least, that their activities potentially could be monitored during work hours for a number of different purposes, but possibly for monitoring for signs of organized labor. 

Ben Yelin: I take a lot from the fact that when they interviewed policymakers in response to the article, the responses weren't, this is a violation of U.S. code, section, whatever. It was, this is highly unethical, disturbing behavior, and we should have an investigation to see why it's going on. And that's always kind of a negative indication to me that you have more here on the moral side than you do on the legal side in terms of opposition to Amazon. But that's just my initial take on it. 

Dave Bittner: Yeah. I mean, is there any hope of kind of, you know, shaming them into doing the right thing, or is - a company that operates at this scale is beyond shame (laughter)? 

Ben Yelin: That's kind of my perspective on it. 

Dave Bittner: Right. 

Ben Yelin: It's like - it's hard to shame Jeffrey Bezos. I mean... 

Dave Bittner: Right. 

Ben Yelin: ...He's, you know, one of the richest people in the world, created this empire. And I just don't know if he's going to concern himself with the type of criticism you get from leaked documents to Motherboard. 

Ben Yelin: You know, it's also - until this kind of seeps into the public consciousness, I don't think enough people would know about this. Even though it's gotten a reaction among Democratic lawmakers in the United States and some politicians within the European Parliament, it's not like this has become a major international scandal. 

Dave Bittner: Right. 

Ben Yelin: And, you know, I think it's certainly within Amazon's own financial interests to prevent their employees from unionizing because that would entail paying people in fulfillment centers increased salaries, increased benefits, et cetera, and Amazon wouldn't be able to operate as cheaply. 

Ben Yelin: And frankly, as consumers, I mean, we certainly benefit from the fact that the cost of production and distribution is relatively cheap. You know, I can get my $2 replacement iPhone charger cord because they're not, you know, paying union wages in these fulfillment centers. 

Dave Bittner: Right. 

Ben Yelin: So I - you know, I think Amazon's philosophy would probably be, like, we'll take the hit on this. We'll get some angry letters from some of our customers, some policymakers in these countries where we operate. But, you know, it's not worth us changing our behavior. 

Dave Bittner: Yeah. It'll blow over. 

Ben Yelin: Yeah, I think that - I mean, I really do think that that's their philosophy. 

Ben Yelin: But I just think, you know, it's fascinating to look at Amazon as sort of an intelligence agency. I mean, the way they describe analyzing what they're seeing in their own fulfillment centers is how the CIA and the NSA do signals intelligence - you know, five color-coded risk ratings on particular meetings that take place in warehouses, whether this was a negligible risk meeting that they observed, low, moderate, high or critical. So it's just like Amazon is almost operating its own counterintelligence agency, which is just fascinating to me. 

Dave Bittner: Yeah. Again, you know, companies, when they're at this scale, the resources they have to do these sorts of things, it's - I guess remarkable is one way to put it. 

Ben Yelin: Yeah. Once you get on top, you want to stay on top. 

Dave Bittner: Yeah. 

Ben Yelin: And, I mean, I think that's the philosophy at play here. 

Dave Bittner: All right, well, it's certainly interesting news. 

Dave Bittner: My story this week comes from Politico. This is written by Eric Geller, a friend of the show, good cybersecurity reporter over at Politico. And he has an article titled "How Cyber Policy Will Evolve Under Biden." And it's just a nice overview. You know, I don't know if you heard, Ben, but we have a new president-elect. Depends on, you know... 

Ben Yelin: Seemingly. Seemingly, yeah. 

Dave Bittner: (Laughter) Depends on where you get your news. But I think as you and I record this, we're pretty safe in saying that President-elect Biden will take office in January. 

Ben Yelin: Yes. 

Dave Bittner: And so that's going to lead to some potential changes. I think one thing that's interesting, overarching here is that, you know, despite some kind of last-minute chaotic changes that took place after the election - you know, President Trump firing Christopher Krebs, who was universally praised for the job he did securing the elections... 

Ben Yelin: Absolutely. 

Dave Bittner: ...Clearly a move for President Trump's own motivations, but one that left most people scratching their heads. 

Ben Yelin: Yes, to put it mildly, yes. 

Dave Bittner: Yeah. But aside from that, I think cybersecurity has been one of the areas that has enjoyed bipartisan support. It's - I think it's something that everyone recognizes is important. And so I think overall, because of that, it's enjoyed success in the Trump administration maybe through neglect because there are other shiny objects for them to focus on. They let the professionals handle this and do the things that need to be done. I don't know if that's a fair assessment on my part, but what's your take on that? 

Ben Yelin: It seems pretty fair to me, given that as soon as the president got wind of what Christopher Krebs was doing related to election security, he put him on the chopping block and when Krebs told the truth about the fact that the election was historically secure, he had to pack his bags and leave. So, you know, I definitely think there's some truth to that. 

Ben Yelin: I think this article is very interesting in that there are some areas where President-elect Biden will go in a different direction. I think they talk about how he's going to be more confrontational as it relates to Russia and what they did in 2016 - cyberattacks, social media manipulation, et cetera. Obviously, that's not something we saw from President Trump on a large scale. 

Dave Bittner: Right, right. 

Ben Yelin: But generally, a focus on election security - I'm wondering if that means rehiring Chris Krebs. I hope he kept his ID card. 

Dave Bittner: (Laughter). 

Ben Yelin: There's a decent chance that come January, he could move back into his office in Washington. 

Dave Bittner: Right (laughter). 

Ben Yelin: He is widely respected on both sides. You know, there were a lot of Republican members of Congress who were very critical about the fact that he was fired. 

Dave Bittner: Yeah. 

Ben Yelin: But there are a couple bipartisan efforts that President Trump took during his term that I think President-elect Biden will continue - authorizing the U.S. Cyber Command to conduct digital strikes without the president's approval as part of a 2018 executive action that President Trump took, and then establishing CISA. Those are two things that were bipartisan. And then I think, you know, there's no reason to think that President-elect Biden will make changes to that. 

Ben Yelin: Couple other really interesting questions here - how much of the Solarium Commission report is going to be adopted? Some of it would require legislation. And at this point, it does not seem too likely that President-elect Biden will have dual congressional majorities. So some of that could be difficult and would have to be done by executive order. 

Ben Yelin: And then the personnel - one person they mentioned here as potential cyber director is Chris Inglis, who was the former director of the NSA and somebody who - I know you and I have talked about him. I think he's very widely respected in the field... 

Dave Bittner: Yeah. 

Ben Yelin: ...Just being somebody who's both smart, candid and really mission-oriented. So I think that would be very well-received. So, yeah, I mean, I think it'll be really interesting for those of us who are nerdy about this stuff to see what President-elect Biden does, assuming he takes office on January 20. 

Dave Bittner: (Laughter) I think we - I think - let's go with that, shall we (laughter)? 

Ben Yelin: Yeah. Let's just assume that for our purposes. 

Dave Bittner: (Laughter) That's right, yeah. Well, it's an interesting article, again, written by Eric Geller. It's called "How Cyber Policy Will Evolve Under Biden." It's over on Politico. Definitely worth your time to check that out. 

Dave Bittner: We would love to hear from you. If you have a question for us, you can call in and leave a message. It's at 410-618-3720. You can ask your question there, and we may use it on the show. You can also email us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Robert Carolina. He is the general counsel for the Internet Systems Consortium, and he's also a senior visiting fellow in the Information Security Group at the University of London. I've interviewed him a couple of times, and I must admit he is one of my favorite people to speak to about these sorts of topics - just a really sharp guy, challenges me in many good ways, as you'll hear in this interview. Here's my conversation with Robert Carolina. 

Dave Bittner: In the current environment, how are people defining digital sovereignty? 

Robert Carolina: I suppose it begins with the recognition that there's no such place as cyberspace. Everything that happens, every communication we send and receive or make use of has an impact or is generated by actions in the real world. And in the real, physical world, the No. 1 organizing principle that we've had as an international community for four centuries is this concept of territoriality, by which I mean physical geographical territoriality, and the concept of sovereignty or sovereign exclusivity over that territoriality. 

Robert Carolina: So what's happening, I think, is that sovereign states around the world are just starting to get to grips with how do they extend and enforce and test the limits of their sovereignty in this new and different medium? 

Dave Bittner: And how does that play out in the real world? Where are we seeing people stretching those boundaries or testing those limits? 

Robert Carolina: Well, it's come up in a lot of different ways. I think one of the most famous early cases that has almost nothing to do with the internet was the situation that developed between the United States and the SWIFT international funds transfer system in the early 2000s. 

Robert Carolina: And this was a case where U.S. security officials wanted to get ahold of banking records. And SWIFT, of course, is a very well-known international funds transfer network owned by thousands of member banks. But this request was specifically addressed to the U.S. office of SWIFT. And the U.S. people there, in compliance with U.S. law, were able to reach into records that were stored in servers under their control in the U.S. and deliver the data. 

Robert Carolina: Well, news of this eventually leaked out, and the organization, based in Belgium, was furious. The Belgian government was furious. The European Union was furious because without doing this in a coordinated way, it put a lot of people in jeopardy in terms of violating data protection and other confidentiality rights of various depositors. 

Robert Carolina: Now, that situation was ultimately resolved at the diplomatic level, and a diplomatic agreement arose about how do you deal with situations like that. If we roll back the clock, the late 1990s, there was the famous case where World War II Nazi memorabilia was being offered for sale through an online auction site based in the U.S. In fact, at this time, it was Yahoo. That tells you how long ago this story is. 

Robert Carolina: And if you've ever lived in Europe, one of the things you learn pretty quickly is that in places like France and Germany, there are laws against selling or offering for sale World War II memorabilia that memorializes or glorifies the Nazi regime. It's a very, very strong cultural value in those countries. 

Robert Carolina: So here we had people - in France, specifically, was the case - were able to view and bid on memorabilia being offered for sale through a site in the U.S. Well, a case was brought in France, and the French court said, you got to cut that out; you got to stop that. All right, well, Yahoo took a step back and said, well, wait a minute; the internet has no borders. We can't tell where anybody is. We can't do anything about it. 

Robert Carolina: And bearing in mind that this was slightly more than 20 years ago, at that point, somebody sort of raised their hand in the back of the court and said, actually, you know, there is something we could do or that could be done by mapping IP addresses to sovereign locations. And the engineers, Yahoo were saying things like, yeah, but that won't be perfect. And the judge in France said, yeah, well, go and give it a try. And if it's good enough, I probably won't say anything. And if it's not good enough, I'll be coming back and telling you again to cut it out. 

Robert Carolina: And that was kind of the beginning, to my recollection, of seeing individual service providers imposing server-side outbound geofiltering specifically in an effort to comply with demands of an overseas sovereign state. So that's an old story and an important one. And from that day to this, the number of instances of geofiltering have only gone up and up and up through any number of mechanisms, including, effectively, self-censorship in an effort to comply with somebody else's law. 

Dave Bittner: Yeah, that's fascinating to me because I guess the mental model I have in my mind of sort of the fundamental way that the internet works is that because it is designed to be robust, that you don't necessarily know how your data is transiting from point A to point B. There are many hops between here and there, and it may take a direct route, it may take a - the long way around. So how do I know that the data that I am sending from point A to point B isn't making a stop along the way somewhere where they may not want that data there or I might not want my data being there? 

Robert Carolina: That's a lot of question. 

(LAUGHTER) 

Dave Bittner: Sorry. 

Robert Carolina: No, it's OK. It's OK. But it does illustrate the problem of trying to get to grips with all of this. 

Robert Carolina: My suggestion to you is let's just try a thought experiment. For the moment, ignore the intervening copying points. You know, if we assume that the internet is just a series of servers or routers that copy and then paste packets and shove them down the line and first think about just the point of origination and the point of delivery and ignore everything in between - if you start with that as a framework, that's usually enough to try to get to grips with what most people are worried about most of the time because the stuff in between is designed to simply - they're bit buckets. They're just designed to take ones and zeros and move them down the line. And the intervening copies might or might not have any sort of clue about what's going on in the middle. 

Robert Carolina: Where most of the problems arise are trying to figure out from where has this content originated and to where is it being delivered, or from where has it been requested and from whom is it being delivered? The stuff in between - usually not the biggest issue that I see in a regulatory sense. 

Dave Bittner: What about dealing with cloud service providers? I'm thinking of, for example, if in the course of doing their everyday business, my cloud service provider, whoever they may be, is backing things up just as a best practice. And I don't necessarily know where they're doing that. I suspect I'm probably glad that they are doing that. But... 

Robert Carolina: Can I stop you there? 

Dave Bittner: Yeah. 

Robert Carolina: Can I stop you there, Dave. 

Dave Bittner: Sure. 

Robert Carolina: My question back to you is, why don't you know where they're doing that? How is it that you've entered into an arrangement where you don't know where they're doing that? How has that happened? 

Dave Bittner: Well, it's an excellent question. And it - perhaps it's exposing my own naivete to think that those sorts of agreements would happen without people asking those questions. 

Robert Carolina: Well, I mean, I would say in dealing with large organizations or, dare I say it, very sophisticated organizations focused on compliance, particularly those that are based in Europe, they are now asking this question routinely. It's coming up on just about every arrangement they enter into, whether it's software-as-a-service platform or infrastructure as a service. They want to know the answer to the question, where is my cloud? 

Robert Carolina: Well, your cloud is everywhere and nowhere. No, that's not good enough. I know that cloud is just me using somebody else's computer, and I want to know where it is. So those questions have been coming up routinely on due diligence for a very, very long time. 

Robert Carolina: They first came up particularly with government contracts. The first government contract I'm aware of where this came up, I believe, was the government of British Columbia back in the '90s or maybe even '80s - I don't know how old it was - where they were doing an outsourcing agreement with a U.S. company. And the government said, well, you know, we'll outsource this data processing to you, but, of course, all the data will remain in Canada. And the supplier said, oh, but that's not how we do our service. It's like, yes, but that's how we do our contracts. 

Robert Carolina: So this question is arising routinely. And I got to tell you the cloud service providers, the infrastructure folks in particular, are very adept at answering the question. And in fact, they offer services to people that specify as a service delivery mode, they will say - give people the option, where do you want your data to be stored? And that can be drilled down sort of on a regional basis or on a state-level basis. The very sophisticated providers are already providing this service. 

Dave Bittner: What about sovereignty from the other direction? If I'm a nation-state and I want to keep the rest of the world out, I want to limit what my citizens are able to know about the rest of the world, what sort of things are we seeing from that direction? 

Robert Carolina: Well, I mean, let's be clear; there are a lot of different reasons why a state might want to reduce content entering their territory. The use case that you describe is the one that produces the most debate because it's the most heated, and that is the types of governments that say, we don't want anyone to intrude on our sovereign territory with anything that's critical of our government or our royal family or, you know, whatever the red line is, whatever the bright line is. That's one use case. 

Robert Carolina: There are other circumstances where sovereign powers seek to reduce the entry of message traffic. The United Kingdom, for example - not the kind of place you would normally associate with, you know, building a huge wall in front of the internet. Nonetheless, fascinating case here a few years ago around copyright. 

Robert Carolina: Now, the reason it comes up there is you had a circumstance where somebody had made lots and lots of copies of content owned by, you know, the usual suspects, the rights-holding community in Hollywood and elsewhere and the record industry. And that content was being hosted on a series of servers in a jurisdiction where what that person was doing was perfectly OK because copyright law is different from place to place. There are different rules on fair use and fair dealing. 

Robert Carolina: And this particular person had decided to post all of this copied content on a server in a place where the rights owners, they couldn't do anything. The government there would say, you know, this person's complying with our local copyright law. 

Robert Carolina: Problem - you have any number of people resident in the U.K., where getting copies of this material is not permitted. So those would constitute infringing copies. 

Robert Carolina: So the rights-owning community said, well, we could do a couple of things. I suppose we could try to sue hundreds of thousands of living individuals every time they click download because, in theory, they're, you know, they're infringing. I mean, that is correct as far as legal analysis goes. But you can see that there's certain process costs involved. 

Robert Carolina: In fact - actually, if you want to get really, really funny, there was briefly a law firm here that tried to do precisely that. And they got their head handed to them because they got a little too aggressive and weren't spending enough time figuring out who they were sending threatening letters to. 

Robert Carolina: But instead, the rights-owning community did something kind of clever that a lot of people hated. And that was they said, well, we know how to keep infringing content out from this website; we'll get the internet service providers to filter it. So they went to court and sued not the people who ran the server, not the people who uploaded the material to the server, not the people who were downloading from the server. They brought a lawsuit against BT, you know, the largest single operator of internet infrastructure in the U.K., to my knowledge. 

Robert Carolina: And they weren't saying that BT was doing anything wrong. I mean, bear in mind the European Union has certain defenses available in the same way the U.S. does, but if you're just carrying bits from place to place, you know, we're not going to sue you for copyright infringement. So they weren't - there's nothing that BT was doing wrong. Let's be clear about that. 

Robert Carolina: The lawsuit was about, we want BT to activate a filter so that any requests coming from this particular server will not get a response. Now, BT did not take kindly to this, as you can imagine. You know, they don't like being in - they didn't think this was part of their business. I can't say I blame them, frankly. 

Dave Bittner: Yeah. 

Robert Carolina: And they went in and said, look - this would be very disruptive, very problematic. Why is this appropriate? Well, this is one of these circumstances where we the courts or, you know, we the rights owners think that if you were to just do a little bit, you would actually help us, save us from losing a lot of money. And so the question became, well, how easy or difficult is it to try to filter this traffic? And what came out during the discussion is - well, actually, don't you do something like this already? I mean, isn't it the case that every internet service provider of substance in the U.K. already filters content from certain blacklisted websites? The Internet Watch Foundation exists and lists a whole series of sites that have, you know, content that's so heavily awful and illegal I don't even like to talk about it. It's just terrible. 

Dave Bittner: Yeah, yeah. 

Robert Carolina: And, you know, you can imagine what we're talking about here. 

Dave Bittner: Sure. 

Robert Carolina: And they said, you know, you already have that technological ability to filter traffic to specific sites. All you have to do is add this address onto your list. Oh, well, yeah, I guess we could do that. But that won't be perfect. Well, no, it won't be perfect, but it's a start. So those are two different use cases, two different - I mean, different sovereign states have different reasons for wanting to keep something out. Sometimes it's hugely political and offends our sense of free speech and fair play and democratic values. Sometimes it's about economic rights. And sometimes it's about trying to protect the human rights of the people who are in your sovereign territory, which is where we get to data protection. 

Dave Bittner: Where do you suppose we're headed with this? I mean, what are the trend lines that you're seeing? From a global point of view, which way do things seem to be leaning? 

Robert Carolina: The direction of travel continues to be in the direction of sovereign states increasing the authority that they assert with respect to how internet infrastructure is used. That's the direction of travel, and that's nothing new. There's a book out there that's great on this subject called "Who Controls the Internet?: Illusions Of A Borderless World." It's written by Jack Goldsmith and Tim Wu. You know, that book is 14 years old. And they're both lawyers. They're both very, very well-known lawyers. And they just cite - they have a litany of case studies about how sovereign states were beginning to assert authority and how people were having to answer lawsuits, whether it was under the law of defamation or copyright infringement or violation of human rights or violation of privacy or whatever it happens to be. And that has increased. 

Robert Carolina: At the same time, you have people who operate content websites who have actively attempted to comply with overseas laws, filtering their own content in an effort to comply. And now the next big thing we see on the horizon is the emergence of both offensive and defensive cyber operations by sovereign states which intrude, to a greater or lesser extent, on the sovereignty of others. I mean, that's kind of at the cutting edge because some of that is sort of entering the public sphere for public debate for the first time over the course of the last couple of years. I mean, were there offensive cyber operations 15 years ago? You know, I don't know. It would have been all classified, I guess. 

Robert Carolina: But we certainly - everybody sure knows today that there are. I mean, there's no question about it. So now one of the cutting-edge issues is, what will sovereign states do and what will the new normal be in an online world? And that gets us into a discussion of things like Tallinn Manual 2.0 and how existing international law applies to cyber operations. 

Dave Bittner: Right. And when do operations in the cyber realm elicit a response in the kinetic world? 

Robert Carolina: Yeah, that is a really vexed problem. I contend - actually, I've got a paper coming out shortly that my wife and I co-wrote. She's got a Ph.D. in international relations, and she's at least one or two steps smarter than me. And the way that we've described the internet in that paper is we describe it as being border-full and distanceless. The challenges that the internet presents are because of this characteristic of being distanceless. Somebody pushes a button, an offensive button, on a machine in Place No. 1, and the packet arrives in Place No. 2, seconds - milliseconds or seconds - later. 

Robert Carolina: And whatever the impact is going to be - now, it may have been weeks or months or years of planning and less invasive intrusion to prepare for the day when that button is pushed. And that's part of the problem right now in terms of assessing international legal response. But it's that distanceless characteristic, the fact that there's been a reduction in what's called the distance strength gradient, which is an old idea from IR about 50 years ago, brought about by this new domain of operations. 

Robert Carolina: But what's also complicating things and the reason we call it border-full is because for some reason, the word borderless has become synonymous with powerless. It's become just sort of a metaphor for the inability to filter traffic. What people don't do, however, is realize that a border is also a type of a connective tissue. It also defines relationships among and between neighbors. 

Robert Carolina: And here's something for you - there's something like 193 sovereign states recognized who are full members of the United Nations today. If you look at all of their land borders - ask, well, how many land borders are there between these 193 sovereign states? The answer is, depending on how you count them, about 300 - about 300. I mean, I think the state with the most land borders would be Russia with something like 14, 15 or 16, depending on who's doing the count. But a lot of times, a sovereign state like the United States, for example, has a land border, effectively, with two countries. 

Dave Bittner: Right. 

Robert Carolina: And an island has a border with zero. So there's only about 300 of these things in the world as we know it today. If, however, we look at the internet as a phenomenon, as a distanceless phenomenon, and if we assume for the moment that intervening cyberinfrastructure may well be ignorant of what passes over it, that puts every sovereign state into an immediate connective relationship with every other sovereign state on the planet. And here's your big mathematical question, and that is, if you have 193 sovereign states, each of whom has a border with every other state, how many borders is that? 

Dave Bittner: (Laughter). 

Robert Carolina: I'll put you of your misery. It's something north of 18,000. 

Dave Bittner: OK, thank you (laughter). 

Robert Carolina: That's 18,000. You know, I'll tell you what. Do you know how long it took me to look that up? I mean, I know a bunch of mathematicians, and I had to drill down to find it. 

Dave Bittner: (Laughter) Better you than me, Robert. 

Robert Carolina: There's no way I would have - I didn't come up with it in less than an hour. Let's put it that way. 

Dave Bittner: (Laughter) OK. 

Robert Carolina: Nonetheless, the total number of bilateral border relationships that have now been created between sovereign states is more than 18,000. So that kind of borderful relationship is part of what's creating an enormous amount of tension in international relations today. 

Dave Bittner: Is it right to think that there's also a decoupling of historical things like landmass, size of military, all those sorts of things? It's not a one-to-one relationship in the cyber realm. You don't have to be a big, bad country with a huge military to have tremendous influence online. 

Robert Carolina: That's absolutely right. I mean, one of the reasons that we feel, for example, that, you know, the internet actually could easily produce more conflict rather than less, or what we call the calculus of conflict, is that it changes both motive and opportunity. Let's take an extreme example. If you want to join the club of sovereign states that have nuclear weapons - you know, not that I'm encouraging anybody to do that - it's a very expensive game. You don't get into it for less than what we're going to describe as a ridiculously large amount of money. And for that matter, you've also got to overcome an enormous amount of international pressure to just, you know, stop it. Don't do that. We don't have to talk about that. 

Robert Carolina: On the other hand, when you look at cyber operations, if the only thing you're interested in doing is the occasional smash and grab - I mean, if you don't care about attribution, you know, if you don't care who knows who you are, if all you're trying to do is, like, just knock things over or be a bit of a pest, almost anybody can get into that game at very little money. Now, if you want to do something super-duper sophisticated and invest a huge amount of time and effort in it in an effort to, like, reduce collateral damage, which is allegedly the case with the Stuxnet incident because no one's ever fessed up and said, yeah, we did that, but everyone thinks they know who did that - if that was the action of a sovereign state or two, then that presumably took a lot of not just engineering effort, which a lot of people focus on in the literature, you know, in terms of, like, what would it take to develop all this code and to understand this now? But consider also the intelligence-gathering exercise that has to go on in the background to figure out, well, what is the spec we're going to give the engineers? And how do we find out the serial numbers on the affected devices? And then how do we know for sure, you know, who is the right person to target in terms of getting the message to walk the thing across the air gap? I mean, the amount of background effort involved in that - I can't even begin to calculate what it would be, but it would be huge. But not everyone needs to play at that level. 

Robert Carolina: I think this is an area unlike the great games. You know, if we talk about international relations, a lot of people talk about the great game or the great powers. Well, you know, if you wanted to play the great game of the 19th century, you had to have a lot of money. If you wanted a seat at that table, you had to have a lot of money, a lot of technology, a lot of resources. This is a game where almost anybody can get a seat at the table. Everyone can sit and play a hand. Now, you might not have the most chips, but you can still play. And you might not win because you might not know what you're doing, and you might get trounced. But nonetheless, I mean, we've entered an age where an awful lot of people can take advantage of what appears to be a new domain for the projection of power. 

Dave Bittner: Is it fair to say that for the traditional world powers, that's a burr in their saddle? 

Robert Carolina: I think probably burr in the saddle is the right metaphor at this point because most of what we think of as the great powers all seem to be eyeing each other primarily. And from the U.S. perspective, there's a lot of time spent focusing on, how do we develop and signal all of these norms for the peaceful use of this medium we call cyberspace? And that's an important discussion to have. And no one's quite sure exactly how to read into that. But one of the things we were discussing a little bit earlier - one of the challenges that we face with international law is that it tends to limit - let's just call them severe intrusions into sovereignty. Or even if international law says you shouldn't intrude at all onto sovereignty, the appropriate response for a limited intrusion into sovereignty is also very, very limited. 

Robert Carolina: So if we think about someone - a great power playing a long game - I mean, I'm going to make some intelligent guesses here because I don't work in this space, and I never have. Let's assume that somebody needs to sort of, like, test the resolve of their targeted enemy. So in my mind, I'm envisioning a whole room or a whole building full of people behind screens who are, like, delicately trying to scrape away or test at the limits of - boundaries of how secure various bits of critical national infrastructure are, et cetera, et cetera, et cetera. Now, at this point, we have one sovereign state intruding onto the sovereignty of a second sovereign state, and that's a bad thing. But what have they done? You know, have they actually done anything yet that merits a kinetic response? Not - it doesn't seem so. Under existing norms as we know them, they haven't done anything that would amount to an armed attack, which is usually the big triggering phrase. Instead, they're doing a lot of preparatory work, which individually constitutes a crime of the target state. So I mean, here's where we get things like the U.S, actually naming individual agents of foreign states in criminal indictments and saying, hey, we have reason to believe you committed a crime. You committed a crime by breaking into a system in the U.S., and so we've named you in this indictment. And if we ever get a hold of you, which we know we probably won't - but if we do, what is that game about? Well, in part, it's about, I'm guessing, some kind of an effort by the government to signal that, you know, look, you really are - we know that you're intruding on our sovereignty, and we're really not happy about it. And this is one of the responses that we are choosing to take. 

Robert Carolina: Now, that's a whole lot nicer than sort of, like, sending a cruise missile to somebody's door because, at the moment, international law simply would not recognize that second action as appropriate. In fact, it would be reviled as absolutely and utterly inappropriate under the circumstances. And where I think a lot of people are having difficulty and where time - only time will tell is, how do you calibrate a noncyber response to a cyber intrusion? You know, I mean, if somebody breaks into critical national infrastructure and decides to poison the water supply of a target state or decides to take over remote control of a nuclear generator and pull all the rods out and melt it down, I mean, that's a no-brainer. I mean, that's the equivalent of dropping a bomb on, you know, 10,000 people. That's a well-understood process. But what nobody quite understands yet is, well, they were laying the groundwork for, or they made an inappropriate change to a reference file, or they deleted log files to try to cover their tracks, or they interfered with the integrity of certain data sets, or they - well, what does any of that - how do we map that onto a real-world response? You know, what does that merit? We send 500 troops into a border town or, you know, somebody puts the 101st Airborne on high alert, or - what precisely would be an appropriate response to that, and why? I think those are where the real challenges are coming. 

Dave Bittner: Yeah. Do we turn off their lights for a few hours and say, you know, nice town you got here - it'd be a shame if anything were to happen to it? 

Robert Carolina: Well, now, you see, there you go. I mean, now, that is an example of an offensive operation that has a significant kinetic effect. You know, if you turn off somebody's power grid for a couple hours, there are any number of people who could probably do a calculation on, how many folks is that likely to kill? 

Dave Bittner: Right. 

Robert Carolina: Because you know, you turn off vital services - we measure the results in deaths. 

Dave Bittner: Yeah. 

Robert Carolina: It's not a pretty picture, is it, Dave? 

Dave Bittner: Well, no, but it's fascinating to think about. And thank you for taking the time for us. I really appreciate it. I feel like it's always time well-spent when I get to chat with you. 

Robert Carolina: It's been my pleasure. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: It really is a great interview. He has a really commanding style, and I like how he sort of pushes back and challenges the premises of your questions. 

Dave Bittner: Yeah. 

Ben Yelin: It was really interesting. I mean, some of it is very abstract. What do we really own in terms of our own communications? Do we have tangible property rights? And who owns the internet? - I think are, in some ways, kind of unanswerable questions. I think he does a really good job of going through that and describing it. You know, one thing that it's invoked for me because I'm always thinking about this stuff is the implications for national security electronic surveillance. And the fact that there are all these midpoints in all internet transactions means that there are a lot of different methods and avenues for the government to obtain communications for national security purposes, especially under lax authorities than they'd otherwise need if those communications were wholly within the United States. And so I think that's been kind of a boon to the national security state, the fact that a lot of the communications are stored on overseas servers. So that's one thing I certainly thought about while listening to the interview. 

Dave Bittner: Yeah. Well, again, our thanks to Robert Carolina for joining us. We do appreciate him taking the time. Hopefully we'll be able to have him back sometime soon. 

Dave Bittner: We want to thank all of you for listening. That is our show. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Cybereason
Cybereason

Cybereason is the champion for today’s cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. Learn more.