11 April 2023

Asserting a Cyber Border

David Greggs

Where is the United States border in cyberspace? Does one exist? There are a variety of opinions on the subject but few absolutes. While land, sea, and airspace boundaries remain well established, there is no cyberspace border. Without an established and defined border, homeland defense in cyberspace remains confusingly spread between public and private organizations. Discussion of cyberspace borders often runs headfirst into an argument over privacy. When should the data be inspected and who should inspect it? This creates significant privacy concerns and answering this question is beyond the scope of this article. However, before we can begin to answer questions related to if or how data should be inspected, the first question to be answered is where the border is. Effective discussion about homeland defense of the United States cannot progress without clarity of a cyber border.

The U.S. should assert a cyberspace border. One way to do that is the identification of internet traffic packets as they cross logical and physical infrastructure. To explore this topic, this article examines how a border enables a nation to defend itself, explores some basics of how the internet works, identifies how the cyber domain is unique, and recommends how the United States could define the cyberspace border.

A Border Enables Defense

Internationally, a nation’s sovereignty is accepted as its land territory, airspace, and twelve nautical miles from the coast. The United Nations formally established the twelve nautical miles with the Convention on the Law of the Sea. Additionally, U.S. Code and a Presidential Proclamation by Ronald Reagen has affirmed this space. While territorial disputes continue to persist, the important fact remains that there is general acceptance and international recognition of physical borders.

When Russia invaded Ukraine, the free world widely recognized that this was an invasion of sovereign Ukrainian territory. Ukraine continues to defend within their sovereign territory, with international recognition that they have the right to do so. Additionally, the U.S. and its allies provided billions of dollars in financial aid to Ukraine to support their fight. While many support Ukraine’s defensive efforts, the international community would be less likely to support a counteroffensive into Russian territory because this would be a violation of Russian sovereignty. Borders matter—when they are recognized.

Sovereign physical territory zones are well established thanks to many years of history, legal opinions, and disputes. The United States government asserts their control over its territory, and the zones are generally accepted across the international community. Nevertheless, significant international cyber attacks across borders continue to persist at high rates. However, international cyberspace borders remain undefined. More directly, the United States government makes no assertions as to what their cyberspace border is.

An established border provides international justification and recognition that a nation may defend itself when the border is breached. With cyberspace, this creates a problem because there are no established borders. Supporting Ukraine became an easier decision when Russia invaded it. While Russian forces remained near the border in Belarus or in Russian territory ahead of the invasion, Ukraine did not preemptively attack and would have potentially lost the international community’s support had they done so. However, once Russia crossed the border, Ukraine responded violently with the support of the international community. Essentially, an established border enabled Ukraine to defend itself. Without a border violation, Ukraine would not have the same level of support they do today.
Some Internet Basics

Before discussing cyberspace borders, it is important to establish some internet basics. In cyberspace, network traffic travels along a logical (digital) path. The logical path of data coincides with physical gateways, routers, and switches. This physical equipment, the infrastructure which makes the internet work, could be anywhere. Data does not stop moving through the physical infrastructure until it reaches its destination, as determined by the data destination address.

Every piece of information transiting the internet can be broken down into packets of data. Each packet of data includes a TO address and FROM address. Anyone analyzing internet traffic can see the TO and FROM addresses. An easy way to think of this is a piece of mail in an envelope. The addresses are visible, but what is in the envelope may not be discernable. If the packet is encrypted, the envelope is in a sort of security envelope. If someone sends a virus over the internet, the virus may be broken down into many different packets of data. However, the destination address remains visible at all times.

Additionally, at any given fractional moment in time, the packet will be physically located somewhere. Different packets could take diverse routes to get to a particular destination. Packets use both logical routing and physical infrastructure to get where they are going.

As an example, suppose a hostile actor in Russia sends a virus to a destination in California. Now, suppose the virus data enters an internet gateway in New York, then travels through multiple states before finally reaching California. The virus traverses several United States spaces (logically and physically) before its destination. Data packets could be intercepted, destroyed, or blocked anywhere along the network path from New York to California. However, intercepting data and checking it for malicious activity - especially if you are not the owner of the data - creates tremendous privacy concerns.

Similar to a piece of mail moving through a postal system, we can generally see where data came from and where it is going. Most users cannot always see what is inside the ‘envelope,’ or the actual data. If the package contains something malicious, such as a virus, it will not get inspected until the receiver opens it. Thus, someone could (and it happens every day) send malicious traffic through United States physical infrastructure without ever officially crossing an international border. The data may physically reside on United States, publicly or privately owned infrastructure, but international sovereignty has not been legally violated because of the lack of a legal definition of a cyber border. As a result, malicious traffic passes through United States networks and its network infrastructure (physical items), but the international border has not been crossed because there is no defined border.
A Free and Open Domain

For most of the world, cyberspace is thought of as a free and open domain. There are no borders. At least, that is how many people discuss it. The internet’s openness allows anyone to post about nearly any subject and share data across the globe. Authoritarian regimes like China, with its Great Firewall, are moderately successful in restricting the internet. Ultimately, privacy concerns in the United States outweigh desires to implement security measures that could lead to an American Great Firewall.

Defending and protecting a border in cyberspace could mean data inspections at a point of entry, like an internet gateway. Inevitably, inspections could include searches and seizures of data. Thus, privacy concerns likely remain a significant factor for why no borders have been established. However, before ideas of security implementation can be discussed, the first step is to establish a border.
A Way to Establish a Border in Cyberspace

It is possible to take some of the accepted physical border principles and apply them to cyberspace. If an enemy is in sovereign space and is on its way to a U.S. location, the United States can assert that the threat has crossed the border. In cyberspace, this means that if a packet of data passes through U.S. owned (Public or Private) internet infrastructure and that packet of data is bound for a U.S. location, these two factors are enough to say that a given packet has crossed the cyber border. Thus, the cyber border equals physical internet infrastructure where the current physical location of the data crosses, and a U.S. location as the ultimate destination address of the data. If the destination address is not a United States location, then similar to a piece of mail, only in cases where some sort of obvious red flag could the United States assert control over the data. If data passes through a United States network on its way to somewhere not in the United States and the data caused damage to the United States, only after the fact could the U.S. assert that the border has been crossed.

In all but rare cases, perhaps there is no reasonable justification to examine the contents of a packet of data for national defense. Asserting a border does not call to inspect data but merely to say that the border has been crossed. If the border is defined, public and private organizations can better discuss defending their territory. Adding a border gives weight to the crime. Lacking a border, criminals and state sponsored cyber actors can remain ambivalent regarding the network traffic path. Without border crossings, response actions may prove more difficult with legal considerations presenting their own challenges.

Asserting that the international cyber border is the first internet gateway where internet traffic crosses into physical United States internet infrastructure with a corresponding network destination based in friendly territory, the U.S. can make a legitimate claim for homeland defense. This does not answer the question of what level/how the United States government should be involved in national cyber security. However, discussion about homeland defense cannot move ahead without precision of where the United States should defend or when the nation should begin its defensive efforts.

If the United States asserts that it has a cyber border, the world may follow. Unfortunately, the United States and the international community remain in a state of confusion regarding a cyber border. The cyber border remains undefined, and its defenses disparately spread among both public and private entities.
Conclusion

It is beyond time that the United States asserts a border in cyberspace. By combining the physical location of internet traffic with its destination address, the United States could assert a border in cyberspace. A declared cyberspace border would allow public or private organizations to defend themselves, their organizations, and their people from harmful data that continues to persist.

No comments: