1
00:00:00,410 --> 00:00:03,149
And I say, all right, foreign head of state,

2
00:00:03,150 --> 00:00:12,570
because it seems that he's doing such interesting work that we could not just find pause where he is run owns

3
00:00:12,570 --> 00:00:18,899
percentage and if nothing else we're demonstrating that we're not justifying very strong specialist and policy.

4
00:00:18,900 --> 00:00:23,010
Well very, very well established professors speaking really like they are.

5
00:00:23,250 --> 00:00:31,800
It's also important to have new blood, new ideas, fresh thinking about subjects, about this particular subject of cybersecurity.

6
00:00:32,370 --> 00:00:35,909
And this what may or may not be an age of privateering vessels,

7
00:00:35,910 --> 00:00:46,110
especially as opposed to this very day foreign is doing this inside cybersecurity, which we began in 2013.

8
00:00:47,040 --> 00:00:52,980
He has been suspended all this time looking at national transnational actors in the

9
00:00:53,190 --> 00:00:58,229
cybersecurity world and its impact upon international affairs and international politics.

10
00:00:58,230 --> 00:01:07,080
We were discussing that over lunch earlier. He has an undergraduate degree in law and international affairs University of CENTCOM and holds a

11
00:01:07,080 --> 00:01:12,750
master's in international relations from the Graduate Institute of International Studies in Geneva,

12
00:01:13,950 --> 00:01:18,450
Florida. Who is you? Apply for jobs? No problem.

13
00:01:18,870 --> 00:01:24,930
Thank you very much for coming. It's a pleasure to see so many familiar faces here and I welcome you all.

14
00:01:26,400 --> 00:01:29,130
This talk is part of a project.

15
00:01:29,430 --> 00:01:35,790
This talk represents an argument that is part of a project that I developed in my first year at the Centre for Cybersecurity,

16
00:01:37,980 --> 00:01:45,690
and I will develop the argument further into the dphil. So I'll be particularly interested in your comments and feedback in a way to take this,

17
00:01:45,700 --> 00:01:49,530
what kind of implications the argument might have and how we might refine it.

18
00:01:51,060 --> 00:01:55,080
The argument will also be published as part of the launch of a new Cyber Security

19
00:01:55,080 --> 00:02:00,570
or Cyber Studies Working Paper series at the DPR here in Oxford and tomorrow.

20
00:02:00,660 --> 00:02:04,380
So if you're interested in it, look at it, look at the site tomorrow.

21
00:02:05,490 --> 00:02:12,270
So let me start. Cybersecurity, cyber security is a classic problem with our passports.

22
00:02:12,840 --> 00:02:20,010
Threats propagating through the transnational and globally interconnected cyberspace are difficult to manage with conventional state instruments.

23
00:02:21,300 --> 00:02:28,170
While as Joe Nye frames it, states are struggling to understand and define their interests in the cyber domain.

24
00:02:28,200 --> 00:02:34,440
The Academy still grapples with interpreting and modelling this actor rich and seemingly chaotic security environment.

25
00:02:35,550 --> 00:02:42,120
The use of historical analogies can hinder or help this analytical task with profound implications for policy.

26
00:02:42,840 --> 00:02:50,700
So an analogy always carries with it. Practical implications about contents causes expectations, norms and strategic choices.

27
00:02:51,960 --> 00:02:58,500
In addition, recent scholarship highlighted the constitutive purpose of analogies in the policy making process,

28
00:02:59,370 --> 00:03:05,130
and this highlights how a problem space can be constituted by the use of analogy for policymakers.

29
00:03:05,820 --> 00:03:11,460
In short, the choice of analogies shapes the way scholars and practitioners perceive problems.

30
00:03:12,240 --> 00:03:15,690
Thus, we should think carefully about what analogies we use.

31
00:03:17,390 --> 00:03:23,150
I've seen an analogy to policy mechanism used in for framing the problems of cyber security.

32
00:03:23,870 --> 00:03:30,859
Specifically, security analysts and policymakers who work during the Cold War have been quick to you to make use

33
00:03:30,860 --> 00:03:37,070
of the Cold War strategic concepts such as classical deterrence and portent to the cyber realm.

34
00:03:38,300 --> 00:03:46,740
This can raise severe problems as it leads back to state centric assumptions that hindered interpretations of new forms of state.

35
00:03:46,740 --> 00:03:50,090
The non-traditional agency characterising the cyber phenomenon.

36
00:03:52,010 --> 00:03:56,570
So the analysis of cybersecurity requires more appropriate historical analogies.

37
00:03:57,470 --> 00:04:00,050
Instead of focusing on these state centric analogies.

38
00:04:00,620 --> 00:04:07,040
I look at challenges arising from the murkiness of state and non-state distinctions in the age of privateering.

39
00:04:07,820 --> 00:04:16,340
And I develop this historic and a historical analogy to capture problems of the state action in a historically largely ungoverned security space,

40
00:04:16,550 --> 00:04:26,650
namely the sea. I examine the actors involved with various degrees of state involvement in the ungoverned seas a previous centuries.

41
00:04:27,200 --> 00:04:32,000
Specifically, I look at navies, mercantile companies, pirates and privateers.

42
00:04:32,900 --> 00:04:37,520
And lessons from them are drawn for the analysis of contemporary problems of cyber insecurity.

43
00:04:39,160 --> 00:04:45,100
The argument that I make can be seen in the context of a broader stream of research connecting to the new wars,

44
00:04:45,100 --> 00:04:51,460
literature and the new medievalism literature, but also the literature on private authority and the privatisation of security.

45
00:04:53,070 --> 00:04:56,970
Thereby I problematise the non-state menace of non-state actors.

46
00:04:57,660 --> 00:05:04,260
Quoting from the introduction of an edited book on non-state armed groups by Keefe, Crouse and Jennifer Milligan.

47
00:05:04,740 --> 00:05:12,330
They said many so-called non-state armed groups are also deeply entangled with state power and state agents in complex ways.

48
00:05:12,990 --> 00:05:18,480
Thus, the label non-state represents a barrier to understanding their multiple roles and functions.

49
00:05:20,710 --> 00:05:27,430
So I am I am to break up this barrier by introducing more nuanced conceptual understandings between state and non-state actors.

50
00:05:28,570 --> 00:05:36,000
I am sorry. That was a big quick. Let me see whether the computer can handle it.

51
00:05:37,050 --> 00:05:42,930
There we go. I will continue by outlining the history of both profiteering and cyber security.

52
00:05:43,080 --> 00:05:51,600
Obviously, very brief. Secondly, I will compare the two themes by identifying similarities and dissimilarities in the roles of state actors,

53
00:05:51,870 --> 00:05:59,550
semi-state actors and criminal actors. And third, I will discuss the limitations of the Privateering analogy as a conceptual benchmark,

54
00:05:59,760 --> 00:06:04,140
as well as using this analogy to make policy decisions on cyber security.

55
00:06:06,390 --> 00:06:11,040
So let me go into the brief history. What is the private sphere and when did it come into existence?

56
00:06:11,880 --> 00:06:15,300
Privateer can be a ship or a person engaged in Privateering.

57
00:06:16,050 --> 00:06:22,170
Usually it's referred to as a privately owned vessel that operates against an enemy

58
00:06:22,440 --> 00:06:28,080
with the license or commission of the government at times of war and the pirate.

59
00:06:28,290 --> 00:06:31,890
The privateer differs from the pirate with regard to the authority of the state.

60
00:06:32,820 --> 00:06:38,940
The use of privateers was established state practice between roughly the 13th century and the 19th century.

61
00:06:39,720 --> 00:06:44,220
It ended with an international agreement abolishing the practice of Privateering in 1856.

62
00:06:46,480 --> 00:06:50,080
Clearly our expert in Privateering would say that it continued, the practice continue,

63
00:06:50,090 --> 00:06:55,210
but the agreement basically abolished the international practice of it.

64
00:06:55,900 --> 00:07:02,830
Now, earliest references in England date back to King Henry, the third, who ordered men of the coastal towns to,

65
00:07:02,860 --> 00:07:10,810
quote, commit every possible injury to the French at sea, unquote, and share half of the profits with the king.

66
00:07:12,070 --> 00:07:17,530
Privateering can be differentiated from the practice of reprisal during peace times.

67
00:07:18,010 --> 00:07:24,880
Letters of Marque could be issued to merchants that sought redress against harms they suffered from foreigners at sea.

68
00:07:25,870 --> 00:07:32,410
This would allow the merchant to attack other ships of that nation until he finds something equal to the value of his loss.

69
00:07:34,300 --> 00:07:42,550
As merchant shipping increased state exploitation day to in times of war, privateers were used to disrupt shipping and gain income.

70
00:07:43,240 --> 00:07:46,000
Privateering was often sponsored by private capital.

71
00:07:46,480 --> 00:07:56,050
Famously, the Elizabethan sea dogs engaged to engage the Spanish in the new world, raising large sums of money for themselves and for the crown.

72
00:07:57,190 --> 00:08:02,590
However, this did not come without problems. Take the famous privateer Sir Walter Raleigh.

73
00:08:03,130 --> 00:08:05,380
He was knighted for his services to the court.

74
00:08:06,130 --> 00:08:13,060
However, he did not stop looting after the peace treaty between England and Spain and was therefore executed by the Order of James the first.

75
00:08:13,750 --> 00:08:18,670
So this is a case in point of how privateers actually step outside the interests of a state.

76
00:08:20,680 --> 00:08:25,390
The longer the wars lasted, the more privateering was professionalised and institutionalised.

77
00:08:25,750 --> 00:08:30,580
At the end of wars, privateers were either integrated into Navy or became pirates.

78
00:08:31,360 --> 00:08:34,630
Now we can see how the line between a privateer and a pirate will be blood.

79
00:08:35,890 --> 00:08:41,560
The French started to invest in privateers or corsairs in the late 17th century.

80
00:08:42,010 --> 00:08:46,210
They provided an ideal weapon against the English who rely more on foreign trade.

81
00:08:48,550 --> 00:08:49,900
Let's look at piracy.

82
00:08:49,930 --> 00:08:58,570
Piracy proved to be problematic for England, as English pirates did not refrain from attacking ships of local rulers in English colonies.

83
00:08:59,500 --> 00:09:07,630
This happened in India, for example, where the mogul demanded to be protected from English speaking pirates by the English East India Company.

84
00:09:08,410 --> 00:09:12,040
In turn, the company was also attacked by English speaking pirates.

85
00:09:12,460 --> 00:09:18,820
The company demanded protection from the Royal Navy. This only caused the pirates to move to the Bahamas.

86
00:09:19,300 --> 00:09:25,629
But it is an episode that will come back to later. And during the 18th and early 19th century,

87
00:09:25,630 --> 00:09:30,940
the British state reacted against pirates by offering incentives to the pirates implementing

88
00:09:30,940 --> 00:09:35,770
a legal reform in the colonies who were sometimes complicit in the prior trade,

89
00:09:36,130 --> 00:09:43,630
and sending the Royal Navy to destroy the pirate home bases. After a period of decline of English privateering.

90
00:09:44,050 --> 00:09:52,630
It research in the 18th century, Britain adopted a policy that encouraged privateers to attack neutral ships trading with French colonial goods.

91
00:09:53,830 --> 00:10:00,670
However, by the end of the 18th century, it was mostly the U.S. and France that employed privateers against Britain.

92
00:10:02,080 --> 00:10:05,470
Privateering had evolved into a weapon of the weak against the strong.

93
00:10:05,830 --> 00:10:12,430
Although it was invented by the strong states of Europe, whose naval power was partially an outgrowth of privateering.

94
00:10:14,410 --> 00:10:20,260
Privateering was abolished by the Congress of Paris in 1856 in a political deal as a demand of the British,

95
00:10:20,440 --> 00:10:27,550
who in return committed to protect neutral trade and whoever is interested in this really read.

96
00:10:27,580 --> 00:10:32,440
Dr. John Limited spoke on the abolition of Privateering, who excellently covered this.

97
00:10:33,580 --> 00:10:38,530
And of course, this whole history would not be complete without highlighting the concurrent

98
00:10:38,530 --> 00:10:42,400
development of the nation state and the institution of national sovereignty.

99
00:10:43,120 --> 00:10:47,470
Sovereignty on the high seas will be linked to a state's capacity to control,

100
00:10:48,040 --> 00:10:53,110
and the absence of sovereignty is one of the preconditions for the presence of actors that I discuss.

101
00:10:55,120 --> 00:10:59,380
So let me turn to cyberspace. Relatively brief history of cyberspace.

102
00:11:00,010 --> 00:11:03,220
Growing out of the defence and academically funded network,

103
00:11:03,700 --> 00:11:09,880
it was really the commercialisation and the advances of personal computing that gave rise to the growth of cyberspace.

104
00:11:10,750 --> 00:11:14,860
Early design choices did not prioritise confidentiality concerns.

105
00:11:15,430 --> 00:11:19,060
Rather, they focussed on the ability to connect and on packet delivery.

106
00:11:20,530 --> 00:11:24,550
Different actors have shaped the norms associated with cyberspace.

107
00:11:25,150 --> 00:11:31,080
The early proponents focussed on an open, unregulated network, but with the expansion of the network,

108
00:11:31,090 --> 00:11:37,990
states started to realise the vulnerabilities of the relatively unchecked interconnectivity with the rest of the world,

109
00:11:39,520 --> 00:11:42,610
alongside an increase of a technically literate user base.

110
00:11:43,060 --> 00:11:48,400
Attacks also rose. At first, computer emergency response teams were formed.

111
00:11:49,030 --> 00:11:53,380
For example, the Carnegie Mellon University site in 1998 was one of the first,

112
00:11:54,130 --> 00:11:58,240
and they were formed to respond to the technical challenges of a growing number of threats.

113
00:11:58,900 --> 00:12:02,680
Deserts started cooperating internationally by sharing data.

114
00:12:03,490 --> 00:12:12,460
However, whilst performing the same basic function, the diversity of national political systems and practices led to challenges regarding cooperation.

115
00:12:14,410 --> 00:12:19,120
So states have reacted to the security challenges from cyberspace in different ways.

116
00:12:19,810 --> 00:12:28,300
The United States military has evolved its policy of information warfare from the early 1990s into a fully operational cyber command structure.

117
00:12:29,020 --> 00:12:34,300
But this was both this was done both as a quest for information dominance in warfare,

118
00:12:34,540 --> 00:12:40,180
but also because the interconnectivity of critical infrastructures post new risks to national security.

119
00:12:40,870 --> 00:12:47,170
Clearly, it was also done as a sort of budgetary inter-agency process where the military wanted a piece of the cake.

120
00:12:48,460 --> 00:12:53,890
Similarly, most advanced industrialised states have tossed their defence and intelligence

121
00:12:53,890 --> 00:12:57,790
agencies with a large role in implementing their cyber security strategies,

122
00:12:58,540 --> 00:13:01,960
growing out of the capabilities of the traditional signals intelligence.

123
00:13:02,380 --> 00:13:06,760
Many states have teams working on how to exploit cyberspace for their own interests.

124
00:13:07,810 --> 00:13:11,470
So the use of private actors by states is of particular interest to me.

125
00:13:12,550 --> 00:13:19,780
And this leads me to Heart of the talk, where I've developed a framework of how I'm going to compare the two domains.

126
00:13:20,500 --> 00:13:27,549
First, going to go through state actors preparing many cyber armies, intelligence and intelligence agencies,

127
00:13:27,550 --> 00:13:33,420
police forces and contractors then go through the same state actors with marketing companies and privateers and

128
00:13:33,430 --> 00:13:39,130
technology champions and patriotic hackers and some cyber criminal elements on the on the cyberspace side.

129
00:13:39,430 --> 00:13:42,490
And then criminal actors with pirates and cyber organised crime.

130
00:13:47,150 --> 00:13:53,960
So let me start with the state actors. Well, states first used to make heavy use of privateers.

131
00:13:54,500 --> 00:13:59,930
By the end of the 16th century, states with ambitions for naval influence needed professional navies.

132
00:14:00,530 --> 00:14:06,800
Spain, England, the Netherlands. All invested in state owned naval capabilities early on.

133
00:14:07,190 --> 00:14:14,990
Whereas other powers continued to rely heavily on a combination of privateering and renting warships from other powers, for example, France.

134
00:14:16,520 --> 00:14:19,850
Public recruitment rendered privateering more regulated.

135
00:14:20,420 --> 00:14:24,110
For example, in order to prevent competition for personnel.

136
00:14:24,230 --> 00:14:33,260
So the war for talent. A quota of professional sailors for privateering ships was introduced so that not all the sailors go on the privateer boat.

137
00:14:34,430 --> 00:14:40,400
Whilst Privateering continued to be an auxiliary method to grieve in enemy's waterways,

138
00:14:40,820 --> 00:14:51,080
but professional navies were able to perform more complicated and resource intensive tasks, such as establishing blockades on enemy's ports in cyber.

139
00:14:51,410 --> 00:14:54,110
Various efforts for public recruitment are on the way.

140
00:14:54,890 --> 00:15:00,320
Since the 2000s many states have invested in cyber defence, intelligence and policing capabilities.

141
00:15:00,950 --> 00:15:04,190
There are different ways in which cyber capacities are developed.

142
00:15:04,790 --> 00:15:11,120
Some states invest in governmental capabilities, refraining from relying heavily on third party support.

143
00:15:11,870 --> 00:15:12,380
However,

144
00:15:12,770 --> 00:15:23,120
there is a range of cybersecurity contractor services that offer anything from intelligence to surveillance to offensive operational capabilities.

145
00:15:23,840 --> 00:15:27,620
The spectrum covers defence, intelligence and policing tasks.

146
00:15:29,230 --> 00:15:35,320
States can use these services to jumpstart their own technical capabilities in operating in the cyber realm,

147
00:15:36,280 --> 00:15:45,340
expensive manpower developing so-called zero day exploits is outsourced to companies who act as middlemen buying and selling exploits.

148
00:15:45,640 --> 00:15:48,310
A zero day exploit is a is an exploit,

149
00:15:48,310 --> 00:15:56,080
a piece of code that can take advantage of a system or take advantage of a vulnerability that has not been disclosed to anybody else.

150
00:15:56,620 --> 00:16:03,250
So you basically get a one free go at the system. Let me switch to the semi-state actors.

151
00:16:04,540 --> 00:16:10,390
Mercantile companies perform semi-state functions interested in unregulated profit making.

152
00:16:10,810 --> 00:16:15,100
They operated with state consent, assuming sovereign like functions abroad.

153
00:16:15,940 --> 00:16:19,540
The right to raise an army and to declare war illustrates this point clearly.

154
00:16:20,230 --> 00:16:22,060
That's a quote from Kenneth Thompson.

155
00:16:22,660 --> 00:16:31,090
At the heart of these practices was the state building process to attain wealth and power promised by overseas expansion.

156
00:16:31,420 --> 00:16:35,470
States empowered non-state actors to exercise violence, end quote.

157
00:16:36,970 --> 00:16:42,850
The companies operate their own foreign policies, make deals with other companies or state or went to war with them,

158
00:16:42,880 --> 00:16:45,190
sometimes against the interests of their home states.

159
00:16:45,910 --> 00:16:52,000
The companies also use the association with the state to stabilise their operations base and seek protection.

160
00:16:52,600 --> 00:16:59,110
For example, we heard before that when the East India Company was under pirate attack, they sought protection from the Royal Navy.

161
00:17:00,580 --> 00:17:05,410
However, the mercantile companies were also used as a source of revenue and power.

162
00:17:06,010 --> 00:17:12,580
For a long time, these companies ruled vast territories and it is important to highlight the political economy aspect of it.

163
00:17:12,820 --> 00:17:18,880
So in a mercantilist economy, the political and the economy economic were not functionally differentiated.

164
00:17:19,270 --> 00:17:23,499
So the term mercantile reflects the symbiotic alliance between the state and

165
00:17:23,500 --> 00:17:28,030
commercial interests in pursuit of power and wealth at the expense of other states.

166
00:17:29,200 --> 00:17:33,610
Arguably, there is no modern day equivalent of the mercantile company.

167
00:17:34,240 --> 00:17:39,640
The closest analogies that one can make all the technology champions and telecommunication providers,

168
00:17:40,150 --> 00:17:44,890
they hold large market and informational power in between countries.

169
00:17:45,250 --> 00:17:49,570
And I've given you some selections of what I think of when I think about mercantile companies.

170
00:17:50,500 --> 00:18:00,700
Know some are in the United States so Apple Microsoft Google the AT&T of these world or while away in China or Deutsche Telekom in Germany.

171
00:18:00,850 --> 00:18:06,560
There are plenty of examples to draw from. Sorry.

172
00:18:12,710 --> 00:18:19,680
So. So in the case of the US companies,

173
00:18:19,680 --> 00:18:25,950
the link with the state was made apparent by the Snowden disclosures regarding the National Security Agency's activities.

174
00:18:26,710 --> 00:18:30,600
The most prominent example is a US government program codenamed Prison,

175
00:18:30,960 --> 00:18:38,790
in which the government compelled several telecommunication providers to cooperate with them so as to facilitate data collection among the US persons.

176
00:18:40,290 --> 00:18:48,570
The exact nature of voluntarily shared data between private corporations and state agencies is a question of further research.

177
00:18:49,380 --> 00:18:54,300
Similar relationships exist elsewhere. Reports in the press are.

178
00:18:54,660 --> 00:18:58,140
I have been documenting the same for France and the United Kingdom.

179
00:18:58,440 --> 00:19:02,280
But this is just what is public knowledge. I'm sure it would exist elsewhere as well.

180
00:19:02,940 --> 00:19:06,420
The relationships between these states and the companies are usually kept secret.

181
00:19:07,620 --> 00:19:14,130
States profit from the globalised market dominating nature of these commercial enterprises in the

182
00:19:14,140 --> 00:19:20,610
identity sector by gaining access to information and consequently to another vector of power.

183
00:19:23,040 --> 00:19:31,170
Another resemblance with mercantile companies is shared when companies are able to levy state resources for their own defence abroad.

184
00:19:32,370 --> 00:19:36,449
So one example was provided by Google's actions in 2009 and 2010.

185
00:19:36,450 --> 00:19:44,790
In China, when Google faced allegedly Chinese governmental intrusions, the American state officials became involved very quickly.

186
00:19:45,600 --> 00:19:49,170
Just like the British East India Company called on the Royal Navy.

187
00:19:49,530 --> 00:19:54,180
Google reached out both to the US State Department and the NSA for help.

188
00:19:56,540 --> 00:20:04,130
A third resemblance of the multinational city companies and mercantile companies emerges from their interaction with different state actors.

189
00:20:04,730 --> 00:20:10,549
So on the one hand, multinational companies have a commercial incentive to offer to offer their

190
00:20:10,550 --> 00:20:14,270
intelligence collection capabilities to more than just their home government.

191
00:20:20,510 --> 00:20:25,370
On the other hand, in the interest of selling their services to foreign governments,

192
00:20:25,880 --> 00:20:30,080
companies have to convince governmental buyers of the security of their product.

193
00:20:30,830 --> 00:20:38,060
And from these dual objectives. Incentives arise that are different from the home states objectives.

194
00:20:39,440 --> 00:20:45,890
Also, the legal domicile of the company exposes it directly to the legal risks of the respective country.

195
00:20:46,700 --> 00:20:56,030
However, due to the global operations of the company, it may be influenced by any state that has sufficient leverage over the companies undertakings.

196
00:20:57,710 --> 00:21:02,150
And again, the interaction between these different objectives. This is an important area of further research.

197
00:21:02,150 --> 00:21:08,090
It's something that I can't give definitive judgements. So let's move to the privateers.

198
00:21:11,120 --> 00:21:15,770
Moving from the mercantile companies. The most prominent semi-state actors were the privateers.

199
00:21:16,130 --> 00:21:18,080
There were private individuals, for example,

200
00:21:18,080 --> 00:21:26,330
merchants that use private equipment at their own risk to fulfil the mercantilist state sponsored goal of attacking enemy commerce.

201
00:21:26,900 --> 00:21:32,270
In return, they profited from the booty. The state benefited from this undertaking.

202
00:21:32,300 --> 00:21:39,440
Twofold. On the one hand, it was a way of disrupting enemy commerce and consequently for the own merchants to profit.

203
00:21:40,250 --> 00:21:45,170
On the other hand, it provided a good source of income in cyber.

204
00:21:45,200 --> 00:21:50,990
There is a similar development, but we need to differentiate between the political and the economic privateers.

205
00:21:51,680 --> 00:21:55,040
Although not restricted to countries at war,

206
00:21:55,400 --> 00:22:03,980
attacks against companies are regularly attributed to patriotic hackers working in the political and economic interest of a country.

207
00:22:04,280 --> 00:22:08,450
Patriotic hackers have been active in many highly visible cases.

208
00:22:09,050 --> 00:22:18,800
Political cases ranged from Russian hackers attacking Estonian 27 to Chinese and US hackers attacking each other in 99 and 2001,

209
00:22:19,100 --> 00:22:22,940
and Muslim and Israeli hackers hacking themselves each other ongoing.

210
00:22:24,020 --> 00:22:29,600
There is a closer economic and political alignment of interests between hackers and government.

211
00:22:30,680 --> 00:22:31,430
On the one hand,

212
00:22:31,820 --> 00:22:40,580
there are hackers who form part of a governmental effort to raise cyber capacity instead of recruiting personnel for governmental positions.

213
00:22:40,850 --> 00:22:44,870
The government relies on the support of private personnel in several countries.

214
00:22:45,170 --> 00:22:50,030
So here I'm thinking of the cyber militias that several countries have raised.

215
00:22:50,720 --> 00:23:00,770
On the other hand, recent reports have indicated a shift of groups formerly known to be engaged in political attacks toward more economic targets,

216
00:23:01,220 --> 00:23:04,340
focusing on economic espionage and intellectual property theft.

217
00:23:05,270 --> 00:23:12,080
The use and encouragement of private talent for economic wealth transfer is the real modern version of Privateering.

218
00:23:14,670 --> 00:23:17,910
So let's look at the case of Russia in the case of Russia.

219
00:23:17,940 --> 00:23:25,860
Allegations have been made about the close alignment of Russian and Eastern European cybercrime networks with Russian state interests.

220
00:23:26,730 --> 00:23:30,390
The influence and direction of criminal activity is multilayered.

221
00:23:31,350 --> 00:23:37,860
An example is the discretionary enforcement based on the targets that the criminals select.

222
00:23:38,820 --> 00:23:43,950
Another is the way cyber criminals become active in the Russian political efforts.

223
00:23:44,730 --> 00:23:49,740
Clearly, the use of non-state actors by governments is an argument, a possibility.

224
00:23:50,140 --> 00:23:54,240
Empirical evidence is usually incomplete and open to interpretation.

225
00:23:55,830 --> 00:24:04,710
Tacit support can usually be inferred by the absence of cooperation between governments in the presence of a mutual legal assistance treaty.

226
00:24:05,520 --> 00:24:11,340
For example, when Estonia was attacked by patriotic hackers from Russian IP addresses,

227
00:24:11,700 --> 00:24:18,060
the Mutual Legal Assistance Treaty should have led to responsible state behaviour as expected by international law,

228
00:24:18,210 --> 00:24:21,840
meaning forensic evidence being exchanged. That did not happen.

229
00:24:22,590 --> 00:24:26,669
That's also why I've given you a picture of the Nazi movement, the youth movement,

230
00:24:26,670 --> 00:24:36,360
that these attacks were attributed to the patriotic youth movement in Russia in the case of China.

231
00:24:36,600 --> 00:24:40,140
The Chinese hacker scene is also engaged in attacks against commerce.

232
00:24:40,740 --> 00:24:44,850
Chinese hackers and their alignment with governmental interests are well documented.

233
00:24:45,690 --> 00:24:53,610
Chinese hackers have also been used by the Chinese government to deny governmental involvement in attacks emanating from the network space.

234
00:24:53,910 --> 00:25:01,530
So the Chinese government would say they are the biggest, the biggest victim of cyber crime, which to a certain degree is also true.

235
00:25:02,940 --> 00:25:06,120
So the criminal element also gives you a plausible deniability aspect.

236
00:25:08,370 --> 00:25:14,639
So to conclude, companies, hacker groups and some cyber criminals engage at their own risk to fulfil state

237
00:25:14,640 --> 00:25:19,230
sponsored goals against the interests of other commercial and non-commercial entities.

238
00:25:21,150 --> 00:25:27,600
But sometimes the profit motive is for the state and the hacker groups are really different than in privateering.

239
00:25:28,650 --> 00:25:37,770
In cyber, states may profit indirectly by gaining capabilities of criminal hacker groups in return for tolerating cybercriminal activity.

240
00:25:38,190 --> 00:25:43,350
Whereas, in the case of Privateering states directly encouraged to profit generating activity.

241
00:25:44,370 --> 00:25:47,190
So that leads me to look at the criminal actors.

242
00:25:49,410 --> 00:25:57,600
Priorities proved to be difficult to control because they would often resort to piracy, attacking not only enemies but also neutral ships.

243
00:25:58,560 --> 00:26:06,300
This led to acts of reprisal against commerce, which increased the need for protection and raised insurance rates for merchants.

244
00:26:07,200 --> 00:26:12,930
Some pirates rejected their home states and formed pirate communities centred around their profession.

245
00:26:13,800 --> 00:26:18,630
Some states chose to pay off the pirates so that they would attack the state's enemies.

246
00:26:19,710 --> 00:26:25,170
Pirates sold their goods in pirate markets, which provided cheap colonial goods to merchants.

247
00:26:25,560 --> 00:26:30,840
And in this way, states could avoid that, could avoid being injured, profited from the pirates.

248
00:26:32,970 --> 00:26:37,110
Pirates became a problem when their actions were attributed to the country of origin.

249
00:26:37,860 --> 00:26:43,770
In the case of Britain, this meant that other states would associate the actions to the East India Company,

250
00:26:44,160 --> 00:26:46,560
which in turn requested the Royal Navy's protection.

251
00:26:47,220 --> 00:26:52,800
It was clear that a state would have to take control of private acts in its own territorial waters.

252
00:26:53,820 --> 00:27:00,480
However, on the high seas, that's different. The solution to piracy is on the high seas came in treating all pirates a stateless.

253
00:27:01,410 --> 00:27:04,980
However, this was only viable once states could define piracy.

254
00:27:05,460 --> 00:27:11,940
And in order to define piracy, a clear distinction from state sponsored and state sanctioned violence had to be made.

255
00:27:12,960 --> 00:27:18,960
This, in turn, was only possible after the the legitimation of Privateering.

256
00:27:20,610 --> 00:27:25,320
So as professional navies developed and privateering was rendered more regulated.

257
00:27:25,860 --> 00:27:29,670
The differentiation between piracy and Privateering became more formalised.

258
00:27:31,530 --> 00:27:40,050
In cyberspace, the criminal market has matured to the point that most parts of the criminal business process can be bought as a service.

259
00:27:40,800 --> 00:27:48,420
The products and services are marketed with testing possibilities, bulk order discounts and customer service and support.

260
00:27:49,920 --> 00:27:57,570
Information communication technologies have made this type of marketing easier because vendors can hide behind anonymous profiles.

261
00:27:59,040 --> 00:28:02,220
In addition, there is a market for cyber quality crimes.

262
00:28:02,700 --> 00:28:06,360
Targeted hacking as a service service can be bought in advance,

263
00:28:06,660 --> 00:28:12,030
so accounts and intellectual property of a particular organisation and intellectual

264
00:28:12,030 --> 00:28:15,510
property sometimes can also be bought as a side product of an attack.

265
00:28:17,520 --> 00:28:25,920
The collusion of some criminal organisations with the state as described before makes this activity potentially more feasible.

266
00:28:26,550 --> 00:28:32,520
Take the example of the market for zero day vulnerabilities, which is highly professionalised.

267
00:28:33,270 --> 00:28:37,800
This is due in part to the low legal risk of selling such vulnerabilities.

268
00:28:37,860 --> 00:28:46,050
It's a grey market, and in part it is due to the financially potent buyers, the public and private intelligence agencies and militaries.

269
00:28:47,370 --> 00:28:51,390
There are some regional specialisations in cybercriminal underground markets.

270
00:28:51,960 --> 00:29:00,000
Latin America is mostly known for banking malware. Russian the Russian speaking on the ground, focuses on attacking financial institutions,

271
00:29:00,180 --> 00:29:05,130
but has also a large malware community with relatively high technical abilities.

272
00:29:06,090 --> 00:29:09,959
The Chinese have a large hacker community focusing on SIM card scams,

273
00:29:09,960 --> 00:29:19,350
online gaming fraud and intellectual property theft and in West Africa is best known for upfront payment scams, but also fraudsters.

274
00:29:19,650 --> 00:29:26,430
There are some reports that fraudsters are leveraging the information left in electronic waste exported to the region.

275
00:29:27,030 --> 00:29:35,070
So there was a case where the Department of Defence exported some electronic waste, some hard drives to West Africa.

276
00:29:35,310 --> 00:29:43,260
And some young some young person actually realised that one could still retrieve information from the hard drive,

277
00:29:43,560 --> 00:29:53,010
which makes it an interesting business for selling the information to both the cybercriminal economy and pirate bases.

278
00:29:53,010 --> 00:30:00,810
Bring substantial revenue to a country. The country of IT profits both in terms of financial and informational inflow.

279
00:30:01,140 --> 00:30:09,750
And some states may have an interest in harbouring cybercrime, especially when states are able to steer the target selection of cyber criminals.

280
00:30:10,950 --> 00:30:11,640
In addition,

281
00:30:11,970 --> 00:30:21,210
states that would like to have a plausible deniability and to hide behind a hacker group are dependent on the existence of cybercriminals.

282
00:30:22,050 --> 00:30:29,460
Unlike in the age of piracy today, states don't have to fear reprisals against their companies,

283
00:30:30,540 --> 00:30:36,600
but corporations will nevertheless have a strong interest in protecting their informational assets from theft.

284
00:30:37,800 --> 00:30:41,850
So at this stage, we have to think about this a little bit.

285
00:30:41,880 --> 00:30:46,740
At this stage, it is unclear with what measures corporations will protect their assets.

286
00:30:47,400 --> 00:30:50,790
And on ships, merchants would have armed their vessels.

287
00:30:51,210 --> 00:30:53,520
So I'm asking, will the same be true for cyber?

288
00:30:56,860 --> 00:31:02,020
The analogy has made apparent that a clear distinction between state sponsored and state tolerated cyber

289
00:31:02,050 --> 00:31:08,890
attacks has to be made in order for an international regime against cybercrime to form the Budapest.

290
00:31:08,890 --> 00:31:15,190
Conventional cybercrime and its 50 signatories provide a good starting point for an international regime on cybercrime.

291
00:31:15,790 --> 00:31:19,870
However, police cooperation with the rest of the world remains limited.

292
00:31:20,980 --> 00:31:22,360
The UNODC,

293
00:31:22,660 --> 00:31:32,650
in its 2013 report to which Professor Ian Brown contributed that was a report on cybercrime diplomatically pointed out the various shortcomings.

294
00:31:33,670 --> 00:31:40,510
And I would conclude as long as the use of cyber criminals against other states and corporations remains a policy option,

295
00:31:40,960 --> 00:31:44,140
an international regime against cybercrime cannot be expected.

296
00:31:46,900 --> 00:31:49,290
So let me come to the two way. Where to you?

297
00:31:49,630 --> 00:31:56,260
The limitations of this analogy with analogies, it's always the case that there are some parts of the analogy that don't fit.

298
00:31:57,520 --> 00:32:01,360
Let me start with one that actually I think it fits better than other people think.

299
00:32:01,690 --> 00:32:09,310
The Cost of entry. Joe Nye makes the argument that on the sea these days for having an aircraft carrier group,

300
00:32:09,520 --> 00:32:12,520
there are only a limited amount of players that can afford this.

301
00:32:12,910 --> 00:32:15,970
I would agree with him, but I would say he picks the wrong century.

302
00:32:16,390 --> 00:32:24,700
So going back to the 16th century, you had fishermen engaged in Privateering to the point that the English state actually

303
00:32:24,700 --> 00:32:30,820
had to regulate a minimum vessel size so as not everybody to practice privateering.

304
00:32:31,510 --> 00:32:37,120
So I would say the cost of entry might be different in different centuries and at different stages of the development of the realm.

305
00:32:37,870 --> 00:32:40,900
What about the number of state actors or actors in general?

306
00:32:41,620 --> 00:32:49,510
I concur. I think that on the sea, the numbers of actors that you count with are the numbers of actors that have access to the sea.

307
00:32:50,350 --> 00:32:53,530
Coming from a landlocked country, I can empathise with that.

308
00:32:54,400 --> 00:32:57,820
In cyber, everybody's your neighbour. It's very different.

309
00:32:58,060 --> 00:33:02,470
So you have a multiplicity of actors. What about geography?

310
00:33:03,340 --> 00:33:12,280
Geography on the sea. Hugely important strategic sea lanes in which if you control them, you gain a lot of leverage in cyber.

311
00:33:12,310 --> 00:33:15,070
Geography still matters, but comparatively less so.

312
00:33:15,460 --> 00:33:22,930
So it still matters, as we've seen from the Snowden disclosures, that the way that traffic is routed is important.

313
00:33:23,350 --> 00:33:28,990
If you have a lot of traffic going through your country and you can control it, it gives you potential leverage.

314
00:33:29,320 --> 00:33:36,070
But you can circumvent that. You can you can deal with that much more flexibly as an actor.

315
00:33:37,420 --> 00:33:41,500
What about attribution? Attribution is a problem both then and now.

316
00:33:42,070 --> 00:33:48,490
So then attribution. You would have to think about whether the flag matches the papers that were produced on the ship.

317
00:33:48,940 --> 00:33:54,010
And then you would have to think whether you would have to check whether the crew matches the papers that they produced.

318
00:33:54,850 --> 00:34:00,209
Well. That would be a relatively difficult undertaking if you were in the middle of the high

319
00:34:00,210 --> 00:34:04,830
seas and you don't have a national register and you don't have an international register.

320
00:34:05,460 --> 00:34:06,870
It would be a bit difficult.

321
00:34:07,350 --> 00:34:14,129
Attribution in cyber definitely a problem, relatively stimulating process in how would you attribute the biggest difference?

322
00:34:14,130 --> 00:34:22,230
And that's where I think we really have to pay attention to what that changes is that in private hearing you actually have access to the person.

323
00:34:22,710 --> 00:34:28,350
So the person that risks his life attacking you, you have direct interaction with him.

324
00:34:28,590 --> 00:34:36,930
Whereas in cyber you can operate from a relatively stable operation space where you might not fear the reprisal on your body.

325
00:34:38,880 --> 00:34:46,620
What about allegiance to the state? So I've said that mercantile companies in the realm of mercantile companies, it doesn't quite fit the analogy.

326
00:34:47,040 --> 00:34:51,480
Well, I think one way that it doesn't fit is with respect to the allegiance to the state.

327
00:34:51,960 --> 00:34:56,880
So an East India company, it was deeply entangled with the British state,

328
00:34:57,360 --> 00:35:08,580
whereas a Google we can make an argument that as a global multinational corporations, its allegiances to different states might be more complicated.

329
00:35:08,790 --> 00:35:15,090
I think this is something to explore. And then lastly, cyberspace has an artificial topography.

330
00:35:16,470 --> 00:35:20,670
We can't change the sea very much, but we can change the cyberspace.

331
00:35:20,670 --> 00:35:22,410
We can change its underlying infrastructure.

332
00:35:22,860 --> 00:35:30,300
So in the long run, rebuilding some of the protocols with security features in mind is a theoretical possibility.

333
00:35:31,110 --> 00:35:43,630
That's definitely a very different. So let me conclude.

334
00:35:47,340 --> 00:35:51,030
I've given you three conclusions here. So firstly,

335
00:35:51,030 --> 00:35:56,160
the actors present in cybersecurity with regard to the proximity to the state

336
00:35:56,490 --> 00:36:01,380
resemble the actors present in naval warfare in the 16th and 17th century.

337
00:36:02,460 --> 00:36:08,310
Secondly, the militarisation of cyberspace resembles the situation in the 16th century,

338
00:36:08,490 --> 00:36:15,600
when some states transitioned from relying on privateers to professional navies enabled warfare.

339
00:36:15,900 --> 00:36:20,970
This transition crowded out the interest in the use of non-state actors to some degree.

340
00:36:21,990 --> 00:36:26,550
State cyber capacity is in the infancy of this process.

341
00:36:28,230 --> 00:36:33,570
Militarisation could have positive consequences for a regime in terms of cyber crime,

342
00:36:34,410 --> 00:36:39,960
which is counterintuitive because some people argue militarisation of cyber is a completely bad thing to do.

343
00:36:41,250 --> 00:36:45,090
It could actually be accompanied by a decreasing interest in the use of non-state actors.

344
00:36:46,140 --> 00:36:52,860
However, just as France opted for a prolonged period using gas to cool or using their corsairs.

345
00:36:53,820 --> 00:36:57,990
The decreasing interest in the use of non-state actors is not a guarantee.

346
00:37:00,330 --> 00:37:06,719
Thirdly, the analysis of how the regime against Privateering has come about has shown that it can be traced

347
00:37:06,720 --> 00:37:12,150
back to unintended consequences of state sponsored and state tolerated non-state violence,

348
00:37:12,660 --> 00:37:16,410
coupled with a growth of commercial opportunities for sailors.

349
00:37:17,820 --> 00:37:23,280
Similarly, in the cyber world, one might expect unintended consequences to increase over time.

350
00:37:24,200 --> 00:37:28,679
Whether states will be able to coordinate their behaviour to control these unintended

351
00:37:28,680 --> 00:37:34,320
consequences whilst preserving the positive effects of cyberspace is an open question.

352
00:37:35,850 --> 00:37:42,180
And finally, it is unlikely that there will be a regime regulating the use of non-state actors any time soon.

353
00:37:42,720 --> 00:37:52,290
Existing for cooperation will continue to exist and are likely to be expanded as cybercrime becomes an increasing problem for all states.

354
00:37:52,620 --> 00:37:58,830
The scope for cooperation will increase, and the scope for collusion between state and non-state actors is likely to decrease.

355
00:37:59,940 --> 00:38:07,920
However, states are likely to continue to rely on their large technology champions to provide information and access.

356
00:38:08,670 --> 00:38:15,690
So it remains to be seen whether the Snowden disclosures will have a long term economic impact on U.S. technology firms.

357
00:38:16,050 --> 00:38:22,800
If so, we might expect industry to be an actor, significant actor working against this process.

358
00:38:24,090 --> 00:38:24,630
And that's it.