• United States



by Aaron Turner & Michael Assante

Freedom of the Cyber Seas

Apr 10, 200813 mins
Critical InfrastructureData and Information SecurityIntellectual Property

How lessons from the U.S. government's response to pirates in the early 1800s can help the next president of the United States improve information security

The late 18th century was a dangerous time on the high seas. Power vacuums in the Mediterranean and the Caribbean had created the perfect breeding ground for bands of pirates to operate without any real opposition. The success of the newly-formed United States of America relied upon its ability to build and maintain business relationships around the world, and these pirates were a direct threat to the success of the American experiment in democracy.

Thomas Jefferson understood this threat and took decisive action to serve the world notice: The United States of America would defend its right to trade freely with any nation on earth.

To understand how radical Jefferson’s approach was, consider the global commercial environment at the time. By the 1770s, more than 20 percent of U.S. exports were directed towards Mediterranean ports. (For more details, see the transcript of Michael B. Oren’s speech at Columbia University, “The Middle East and the Making of the United States, 1776 to 1815.”) These shipments contained valuable goods of sufficient volume to attract the attention of the Bashaw of Tripoli (modern Libya) and his allies, the rulers of Morocco, Tunis and Algiers. The Bashaw, ruler of a semi-autonomous Ottoman province, was the leader of the loose confederation that became known as the Barbary States, and he ran an 18th-century version of what we today would call a protection racket. Tripoli had a sizeable navy, and he would station its fast corsairs and frigates along the most popular navigation routes in the Mediterranean–seizing cargo from those vessels not protected by the European powers, and extorting ransom for cargos and crews that had not paid the “protection fee.”

Once the United States officially severed ties with Great Britain, American vessels were no longer under the protection of the formidable British Navy. For nearly twenty years after U.S. independence, American policy had been to appease the Bashaw and the Barbary pirates either by paying their extortion demands from the federal treasury or by requiring private shipping companies to do so. By 1786, Barbary extortion demands totaled $1 million–an amount that represented one-tenth of the U.S. government’s entire budget at the time.

Opposing John Adams’ pirate payment policy, Jefferson championed the slogan coined by U.S. Representative Robert Goodloe Harper in 1789: “Millions for defense, not one cent for tribute.” Jefferson was also a proponent of the Mare Liberum or “Freedom of the seas” doctrine first documented in international law by Dutch jurist Hugo Grotius in 1609. Freedom of the seas was of supreme importance to the success of the United States. If America could not deliver its goods and conduct free trade, the country could not survive economically.

Following his inauguration in 1801, Jefferson translated his anti-tribute rhetoric into policy by refusing to meet the Bashaw’s demand for $225,000 from the new administration. The Bashaw declared war on the United States and cut down the flagpole flying the Stars and Stripes in front of the U.S. Consulate in Tripoli. Jefferson responded by sending a group of American warships to defend U.S. interests in the Mediterranean. From 1801 to 1805, U.S. Navy and Marine units engaged Barbary forces on both land and sea. Finally, four years of hostilities culminated in the Battle of Derna, during which American forces routed the Tripolitans and forced the Barbary States to agree to a peace treaty, which was signed in Tripoli on June 10, 1805. The First Barbary War was the debut of American military forces’ capability to project a U.S. president’s policy beyond his own borders.

In the two centuries that have followed, American presidents and military leaders have come to consider free access to the world’s oceans a fundamental component of U.S. sovereignty. The political, military and economic success of the United States is based upon the freedom to conduct commerce and project force over any ocean at any time. On many occasions, the U.S. government has been willing to exercise this freedom to protect its sovereignty, commerce and liberty. The consistent “freedom of the seas” policy and enforcement actions challenging any threat to the freedom benefit the collective international community and encourage other governments to aspire to the same goals. The current state of maritime law facilitates a stable and predictable environment–within which the United States can conduct its military and economic enterprises, assuring the continued success of the nation.

The Modern Equivalent: The Cyber Seas

In modern times, the nearly ubiquitous availability of powerful computing systems, along with the proliferation of high-speed networks, have converged to create a new version of the high seas–the cyber seas. The Internet has the potential to significantly impact the United States’ position as a world leader. Nevertheless, for the last decade, U.S. cybersecurity policy has been inconsistent and reactionary. The private sector has often been left to fend for itself, and sporadic policy statements have left U.S. government organizations, private enterprises and allies uncertain of which tack the nation will take to secure the cyber frontier.

Threats that have surfaced in cyberspace are new only because the environment is new. In fact, they follow a pattern, and the United States has successfully managed similar threats in the past. We believe that now is the time for the United States to pursue a “Freedom of the Cyber Seas” policy, based on a successful model of the past–President Jefferson’s approach to “Freedom of the Seas.” The next president of the United States has the authority to implement a new approach, one that is designed to protect the United States from the increasing threats to our government and economy in cyber space. By understanding how the U.S. historically set maritime policy and projected its military and economic power, we can learn important lessons about the U.S.’s current cybersecurity challenges.

As was the case in the late 18th century on the high seas, significant segments of the Internet have suffered from a power vacuum, within which criminals have found a safe haven to conduct illegal activities. Compare the protection payments extorted by Barbary pirates to the losses suffered by U.S. financial institutions today through Internet-enabled credit card fraud committed by organized crime rings in other countries. Unfortunately, there is not an extensive amount of public information available relating to Internet-enabled financial fraud, because most financial institutions keep the numbers private. One of the few institutions to publish comprehensive fraud statistics is the Banque de France, which in its “Statistiques de Fraude pour 2006” report details how international credit card fraud has ranged between three and six percent of all international transactions from 2002 to 2006–representing billions of euros of losses for the bank. Combine the Banque de France information with the latest data on “card-not-present” or CNP fraud (fraudulent transactions via Internet or phone), which show a 16 percent year-over-year increase from 2005 to 2006, and these criminal enterprises begin to approach the scale of Barbary pirate extortion.

Similarly, in many ways, current U.S. policy on the security of electronic commerce is similar to Adams’ appeasement approach to the Barbary pirates. The U.S. government’s inability to dictate a consistent cyber commerce protection policy is creating a financial burden on the U.S. private sector to maintain a status quo, when those resources could be used to mount a more-effective Internet-focused defense. In the case of financial fraud on the Internet, the costs associated with fraudulent transactions are currently borne by private companies, which then have to pass those costs on to their customers. This basically creates a system in which the financial institutions are paying a type of “tribute” to the cyber criminals, just as Adams did to the Barbary pirates.

The analogy can be extended further. The data flowing through global networks is the equivalent of maritime shipping lanes in international waters, and the networking, computing and logical assets owned by organizations are the ports from which the information flows “sail” onto the “international cyber seas.” These concepts can be counter-intuitive to enforcing any rule of law, as the jurisdictional complexities have not been fully developed. The ambiguity of Internet sovereignty causes law enforcement to err on the side of inaction to avoid violating any laws themselves.

With this in mind, one can see how a new approach could be forged that would maintain and respect sovereignty. The nation can consider using political pressure, and by extension proactive actions, to protect the “cyber sea lanes” from well-organized and significant threats. We are not advocating the use of malicious applications to shut down servers. Under this model, there are other actions the United States can take to isolate and undermine threats, while staying within the framework of international law. The efforts of the United States to disrupt the illegal drug trade provide examples of how we can work with other countries, respecting their sovereignty, while working to undermine the drug cartels and interdict threats before they arrive in U.S. ports.

The international community could move toward a system that mimics how international shipping is regulated. For example, a body of international maritime law sets expectations on the high seas and establishes responsibilities for captains to responsibly navigate their vessels at all times, including during entrance to and exit from ports. Treaties are negotiated by nations to determine how commerce is to be conducted, and traffic from rogue or hostile states is treated differently than traffic originating from friendly nations. Nations interested in increasing the value and volume of their shipping trade guarantee, to the best of their ability, the safety of traffic originating from their ports, and this in turn stimulates their economies. Governments establish policies and enforcement regimes designed to protect the general public from dangerous products that merchants may attempt to import. As a whole, maritime law has matured to the point where nations can engage in a predictable commercial trade on the high seas.

Now is the time to start developing similar policies, legal frameworks and enforcement mechanisms for Internet commerce and communications. It could be argued that such a course of action could save the Internet from itself, by establishing a system that has clearly outlined responsibilities for all Internet users, with appropriate controls to mitigate cyber threats–all while still maintaining enough flexibility and minimum overhead not to inhibit innovation. The goal is to embrace interconnecting the world, but to do so in a manner that results in a stable and more predictable environment to further promote commerce and the sharing of ideas.

What the Next President Should Do

With that goal in mind, let us consider how the United States could take a Jeffersonian approach to the cyber threats faced by our economy. The first step would be for the United States to develop a consistent policy that articulates America’s commitment to assuring the free navigation of the “cyber seas.” Perhaps most critical to the success of that policy will be a future president’s support for efforts that translate rhetoric to actions–developing initiatives to thwart cyber criminals, protecting U.S. technological sovereignty, and balancing any defensive actions to avoid violating U.S. citizens’ constitutional rights. Clearly articulated policy and consistent actions will assure a stable and predictable environment where electronic commerce can thrive, continuing to drive U.S. economic growth and avoiding the possibility of the U.S. becoming a cyber-colony subject to the whims of organized criminal efforts on the Internet.

Specifically, the president should declare U.S. intentions with a call to action to government and business leaders during the first State of the Union address. The president’s policy statement should open up a dialog to consider private- and public-sector initiatives to begin working on creative approaches to the growing number and severity of cyber incidents. Most importantly, a presidential declaration outlining the unalienable right of all nations and peoples to conduct commerce on global networks will set the tone for all cyber security efforts undertaken in the next administration. The message needs to outline how the nation can collectively prevent intrusions by building up defenses and providing lookouts in the territorial cyber waters that constitute U.S. information infrastructures. The president’s message should outline how the United States will identify, challenge and disrupt any effort to violate the national right to free commerce on the cyber seas. This message will not be lost on the criminals and nation/state actors who are currently involved in cybercrime that, virtually unimpeded, is growing in sophistication. The president’s plan must set aside appropriate resources to counter any organized affront to the announced policy.

As part of the overall presidential plan, the president also must charge an appropriate federal organization with the charter of patrolling the cyber seas–issuing challenges where necessary and taking proactive defensive action to disrupt organized threats. This organization must work closely with the law enforcement and intelligence communities to identify bad actors and devise strategies to exploit the vulnerabilities associated with online criminal activity. We can go back to the example of how this strategy can be a success by looking at U.S. efforts on the illegal drug trade’s supply lines across the Caribbean. The harassment, search and seizure activities effectively raised the cost of transporting illegal drugs, thereby forcing many drug cartels to build more-expensive transportation networks, and in some cases forcing criminals out of the market altogether. Similarly, on the cyber seas, we must increase the cost of conducting cybercrime and undermine the criminal marketplace.

The president’s policy should also outline how U.S. diplomatic efforts can be coordinated through an international coalition of nations to develop the “laws of the cyber seas.” The objective of the coalition would be to develop a body of international law designed to protect the rights of all nations and their citizens to conduct commerce and share information, with appropriate consequences outlined for those who violate those rights. There would be many issues to examine and debate, but an effort begun sooner rather than later to shape this new domain will be more effective and prevent greater losses.

The Internet has been an incredible experiment that has impacted how humans interact, conduct business and live around the world. It is time for its transition–through cooperation and where necessary unilateral action–into an established system where humankind can use it without apprehension or intimidation.

The president of the United States is one of the few individuals who have the authority and influence to affect a strategy as broad and complex as outlined above. The political, diplomatic and enforcement resources to set a consistent “freedom of the cyber seas” policy are vested in the Office of the President. Now is the time for that authority to be used to set a new course for our nation, and to challenge those who would subject America to the tyranny of criminal enterprises. Now is the time to demonstrate U.S. commitment to liberty and freedom–even on the cyber seas.

Michael Assante is an infrastructure protection strategist at the Department of Energy’s Idaho National Lab and the former VP and CSO for American Electric Power, the largest generator of electric power in the United States. Aaron Turner, who manages security technology transfer and commercialization for the Idaho National Laboratory, previously worked in several of Microsoft’s security divisions.