1. 1 Explorations in Cyber International Relations (ECIR) Multidisciplinary Team Leads: Stuart Madnick (IT Group, School of Management & Engineering Systems Division, School of Engineering) Nazli Choucri (Political Science) Students: Steven Camiña* (EECS) Jeremy Ferwerda (Political Science) Erik Fogg* (Political Science) Xitong Li (School of Management) Hamid Salim (Systems Design & Management) Fan Wei* (Mathematics) Explorations in Cyber International Relations OSD Minerva Research Project at Harvard & MIT Institutional Developments, CERTS & CyberData, and ECIR Data Dashboard Conference on Cyber International Relations: Emergent Realities of Conflict and Cooperation | October 14, 2010 * Graduated or left project

2. Empirical Data – Theory Relationship 2 Empirical Data Theory Data suggests: ideas, identifies ‘deviance’, new explorations Data needed: to confirm, explore further, develop, reframe or extend theory especially across domains (“real” and cyber) Does Korea have a lower rate of piracy per computer than the US?.. and Why What countries have increases in Total CERT Reported Incidents per Capita while others are decreasing? … and Why? How are USA Cyber Crime Dollar Loss & Total Cases changing over time? … and Why?

3. Agenda & Accomplishments Identified Relevant International Institutions and Data Sources, e.g., Computer Emergency Response Teams (CERTs) “Institutional Foundations for Cyber Security: Current Responses and New Challenges” under review by Journal of Information Technology & Politics Developed ECIR Data Dashboard Prototype & Gather Initial Data Sets “Explorations in Cyber International Relations (ECIR) - Data Dashboard Report #1: CERT Data Sources and Prototype Dashboard System”, working paper “Experiences and Challenges with using CERT Data to Analyze International Cyber Security,” Proceedings of the AIS SIGSEC Workshop on Information Security & Privacy (WISP 2009), Phoenix, Arizona, December 2009, pp. 6-16. Identified Illustrative Observations & Discoveries “Security Metrics in Comparative Perspective: Preliminary Observations,” Working Paper Other: “Exploring Terms and Taxonomies Relating to the ‘Cyber Relations’ Research Field,” draft being completed 3

4. Identified Relevant International Institutions and Data Sources Summary of findings regarding institutional responses: Not-for-Profit institutions designed to focus on cyber threats (CERT/CC, FIRST, and private CERTs). Some have transitioned to private-public partnerships International institutions established to manage interactions among advanced states (OECD) International conferences designed to communicate the potential for information technology to facilitate transitions towards sustainable development (WSIS) Functional international organizations with core missions and competencies that have added additional responsibilities (ITU) National agencies tasked with responding to cyber crime (FBI) Development of binding international legislation (Convention on Cybercrime) Organizations and strategies focused on the defense of military and intelligence networks (CCDOE, CNCI) 4

5. Identified Relevant International Institutions and Data Sources - Some Conclusions The current institutional landscape resembles a security patchwork that covers critical areas rather than an umbrella that spans all known modes and sources of cyber threat. Each of these institutional responses has different mandates, rules and responsibilities. None have complete regulatory power. There is little evidence of overarching institutional coordination – a certain degree of disconnect, or – a dynamic and shifting response to an emerging threat. Given the multiple contexts and diverse institutional motivations, responses likely will be driven by institutional imperatives and reactions to crisis than by coordinated assessment and proactive response 5

6. Identified Relevant International Institutions and Data Sources (cont’d) States may not be willing to proceed until international norms are developed; rather they will likely ‘take matters in their own hands’ and develop first order responses. The potential for significant threats is far greater than institutional capabilities to contain these threats. In other words, the ‘demand’ for security far exceeds the provision of effective ‘supply.’ Cross-sector collaboration between public, private, and volunteer organizations may serve as a temporary measure to cover holes in the current network – At some point, effective institutions will be necessary; they may develop in parallel with rising public awareness The development of effective positive incentives may be the key to further developing the institutional domain 6

7. Identified Relevant International Institutions and Data Sources Although data is fragmented, several applications are possible, e.g., – International data on cyber crime legislation and awareness can be correlated with arrest rates in individual countries -> this method may allow researchers to determine the relative rate of progress in individual nations – Similarly, it can be determined whether the enactment of cybercrime legislation has any noticeable effect on the degree of cybercrime within a country – Private sector statistics can be paired with national CERT data to determine the degree of national vulnerabilities and traffic that each CERT is capable of handling – Many of these possibilities have been investigated as part of the Data Dashboard project. 7

8. Initial Range of Data Attributes and Sources for Dashboard 8 SOURCES CERTs BSA & IDC Global Software Piracy Study CIA World Factbook Polity IV SIPRI: Stockholm International Peace Research Institute World Development Indicators Database World Bank Governance Indicators Database World Telecommunication/ICT Indicators Database

9. ECIR Data Dashboard Prototype Web User Interface 9 http://coin.mit.edu:8080/Dashboard/

10. Some Illustrative Demonstrations & Observations: Malaysia v Brazil 10 Linear scale Logarithmic scale

11. Malaysia v Brazil: Total CERT Reported Incidents per Capita 11 Some Possible explanations: Data: Initially Malaysia CERT was not capturing incidents effectively * Public Policy: Brazil addressed incidents aggressively; Malaysia was lax * Comment on “perceptions” Some Illustrative Demonstrations & Observations Brazil declining Malaysia increasing Brazil high Malaysia low Almost same How about per Internet Users? http://coin.mit.edu:8080/Dashboard/

12. Some Illustrative Demonstrations & Observations Some Possible explanations: Countries with less developed intellectual property laws are now beginning to accurately report losses, or These countries have less mechanisms in place to prevent software privacy. 12 Software Piracy Divergences OECD and Non-OECD Countries

13. 13 Some Illustrative Demonstrations & Observations USA Cyber Crime Dollar Loss Outpacing Total Cases Some Possible explanations: Budget for investigating cyber crime not increased enough over this period Individual criminals increasingly more effective at inflicting monetary damage

14. Some Illustrative Demonstrations & Observations: Software Piracy Trends 14 Korea has a much lower rate of piracy per computer than the US Germany, initially possessing a much higher ratio, has converged to the US rate China's rate is very high, decreased, then began to increase in 2006 (as well as Malaysia) Korea USA Germany China Malaysia

15. Some Illustrative Demonstrations & Observations: Trends in Cyber Crime Cases 15 In Korea the number of reported cases and arrests is converging toward a 1:1 ratio. This could mean that fewer reported cases are 'false alarms‘ or That Korean police are increasingly adept at tracking down cybercriminals. or ????

16. Some Illustrative Demonstrations & Observations: Relative rates of cyber crime cases per internet users 16 Countries tend to have stable, though different, rates of cyber crime cases per # of users Suggesting cultural differences/lack of efficacy in reducing cyber crime through education and prevention

17. Summary and Future Work Summary – Important to study cyber international relations within & across countries – Data availability, consistency, and interpretability, especially of CERT data, are challenging obstacles for the exploration – But ECIR Data Dashboard and preliminary data gathered have been useful tools & can be used in teaching CyberPolitics in IR Ongoing Work – More global data sources and categories are being identified and incorporated in the Dashboard, addition of provenance information – New Illustrative findings are being explored – Development of a taxonomy of cyber terminology by analyzing the literature using bibliometric analysis techniques – Economic and/or social incentives of improving the reporting and sharing of nation-level data are to be investigated E.g., development of “business model” for the CERTS – Show that some data provides useful insights -> Imagine what more data can do! 17