From the Manhattan Project to the Cloud: Arms Control in the Information Age
Assistant Secretary, Bureau of Arms Control, Verification and Compliance
Thank you for inviting me to speak today. It is an honor to be giving the Drell Lecture. Sid Drell is a living legend. His work over the years is an inspiration to me and so many others, and I am honored to have the chance to speak in his name.
I am also happy to be here at Stanford—I think I’ve come to the right place to make this speech. You’re at the top of the league tables in innovation and policy development for “connection technologies”—SMS, mobile communications, the web. It just came across my desk this week that you’ll be hosting a meeting for the State Department in February on Rio+20, “Bridging Connection Technologies and Sustainable Development.” So I know you have a lot going on here. Today, however, I’d like to take you in a policy direction you may not have thought about: the arms control world that I inhabit.
I’d like to start out by making it clear that this is not a policy speech, this is an ideas speech. I am interested in your ideas about how the astonishing advancements in connection technologies over the past sixty years affect my business, the verification of arms control treaties and agreements. By the way, I’m focusing on arms control because that’s what my job title says—but a lot of what we’ll be talking about could apply to nonproliferation policy and counterterrorism too—for example, how to find better ways to prevent “loose nukes” from falling into the hands of terrorists.
And you’ll hear me talking a lot about controlling nuclear weapons—I guess that’s natural, since the biggest deal I ever did was to negotiate the New Strategic Arms Reduction Treaty with Russia and then get it through the U.S. Senate. However, I’d like to stress that the other weapons of mass destruction—chemical and biological weapons—pose even greater challenges for arms control policy, because they are dual use and difficult to disentangle from normal industrial or commercial processes. This is akin to some of the challenges that we face with so-called “cyber arms control”—but I’ll talk about that more in a few minutes.
Nowadays, we verify that countries are fulfilling their arms control treaty obligations through a combination of information exchange, notifications of weapon status—where in the country is that ICBM?—on-site inspections, and National Means, including so-called National Technical Means (NTM). NTM are big assets—observation satellites, phased-array radars—that individual countries manage and control. It has long been a rule of arms control treaties that we don’t interfere with each other’s National Technical Means—we allow each other these eyes and ears to monitor treaties. All of the elements I’ve listed off work together to make an effective verification regime.
I should say what we mean by effective verification. Ambassador Paul Nitze defined it as follows: “if the other side moves beyond the limits of the treaty in any militarily significant way, we would be able to detect such violations in time to respond effectively and thereby deny the other side the benefit of the violation.” That’s effective verification, and it has been the benchmark for verifying compliance. To help meet this benchmark, I’ve been asking myself, can we incorporate open source information technologies and social networking into arms control verification and monitoring?
New concepts, I recognize, are not invented overnight, and we don’t understand the full range of possibilities inherent in the information age. The first electronic computers were developed at the same time as the nuclear bomb. In fact, General Leslie Groves, who ran the Manhattan Project, also was involved in developing the UNIVAC, an early computer built for military use. Believe it or not, the office I sit in today at the State Department is next door to Grove’s old office in what was then the U.S. Department of War. I often feel the pull of history in that place.
As long as we’re talking about history, I’d like to recall that at the end of World War II, Vannevar Bush, Director of the President’s Office of Scientific Research and Development, challenged those who had built the atom bomb to turn to creating new ways of managing information: “(Man) has built a civilization so complex,” Bush said, “that he needs to mechanize his records more fully if he is to push his experiment to its logical conclusion and not merely become bogged down part way there by overtaxing his limited memory”—or, one might say, his limited powers of observation and comprehension.
With the Internet, we have accomplished Vannevar Bush’s vision technically, but haven’t fully grasped its implications for national security policy. Today, any event anywhere on the planet has the potential to be broadcast globally in mere seconds. The implications for arms control and verification are interesting. It is harder to hide things nowadays. When it is harder to hide things, it is easier to be caught. The neighborhood gaze is a powerful tool.
Open Source Information Technologies and Social Networking
But how exactly can open source information technologies improve arms control verification? There are at least two ways to think about the proposition: either as an active task generating new information, analysis, and understanding; or as deep analysis of information that already is out there.
An example of the first is the Defense Advanced Research Projects Agency (DARPA) Red Balloon Challenge. In 2009, in recognition of the 40th anniversary of the Internet, DARPA held a competition where 10 red weather balloons were moored at visible fixed locations around the continental United States. The first team to identify the location of all 10 balloons won a sizable cash prize—$40,000. Over 4,300 teams composed of an estimated 2 million people from 25 countries took part in the challenge. A team from the Massachusetts Institute of Technology won the challenge, identifying all of the balloon locations in an astonishing time of 8 hours and 52 minutes. Of course, to win in such a short time or complete the challenge at all, the MIT team did not “find” the balloons themselves. They tapped into social networks with a unique incentive structure that not only incentivized people to identify a balloon location, but also incentivized people to recruit others to the team. Their win showed the enormous potential of social networking and also demonstrated how incentives can motivate large populations to work toward a common goal.
Now, how could something like this work in an arms control context? Let’s just imagine that a country, to establish its bona fides in a deep nuclear reduction environment, may wish to open itself to a verification challenge. It could seek to prove it was not stashing extra missiles in the woods, for example, or a fissile material production reactor in the desert. Of course, some form of international supervision would likely be required, to ensure the legitimacy of the challenge and its procedures. And we would have to consider whether such a challenge could cope with especially covert environments, such as caves or deep underground facilities.
I am thinking that a technique like this—let’s call it a “public verification challenge”—might be especially valuable as we move to lower and lower numbers of nuclear weapons. Governments will have an interest in proving that they are meeting their reduction obligations, and may want to engage their publics in helping them to make the case. Then it will be incumbent on all of us to ensure that they cannot spoof or manipulate the verification challenges that they devise—that’s a significant problem, but one I am sure you can tackle.
Another example of public action to gather new information was the environmental monitoring that took place after the 2010 Deepwater Horizon oil-spill disaster in the Gulf of Mexico. The Public Laboratory for Open Technology and Science (PLOTS) paired with other institutions to create a community-led effort to monitor the oil spill using “balloon mapping”. The group provided instructions to community members for attaching digital cameras to a balloon or kite in order to capture aerial images. The images were then aggregated using open source software to piece together multiple digital images into a single coherent map.
In sum, citizen-run verification and monitoring projects may have potential in arms control and nonproliferation policy. If Country X declares that a nuclear facility has been closed, a citizen-led effort could augment standard international safeguards or verification of this declaration. Once again, we have to bear in mind that there could be significant limitations based on the freedoms available to the citizens of Country X—an issue to tackle in thinking through this problem.
In addition to developing new information, harvesting and analyzing existing information can be helpful, too. There is some very interesting work going on in social media aggregation and open-source map analysis.
Following the Arab Spring, the utility of Twitter and other social networking mechanisms gained new respect. News about the uprisings was being chronicled in real time not just by traditional news outlets, but by ordinary on-the-ground citizens. The revolution was being narrated by those actually creating it.
Laila Shereen Sakr, a PhD Candidate at the University of Southern California, followed the Arab Spring closely, creating a massive database of Arabic-language tweets. Instead of selecting terms herself and searching the database, Sakr let a computer program aggregate data and identify patterns. While aggregating tweets from Libya, her program identified spikes in certain hashtags or selected key words. These word spikes became a sort of pulse, an early warning identifying the fall of the town of Zawiya. A short while later, similar words spikes reappeared allowing Sakr to identify the impending fall of Tripoli. She was accurate to within a few hours.
The ability to identify patterns and trends in social networks could help the arms control verification process. In the most basic sense, social media can draw attention to both routine and abnormal events. We may be able to use data mining to understand where strange effluents are flowing, to recognize patterns of industrial activity, to queue sensors and satellites. Such queuing could help us to make better use of our scarce and expensive National Technical Means, or in some cases to supplement them in important ways. This is a major issue in an age of budget austerity, when the price tag for big hardware like satellites continues to rise. We need this “big hardware”, but we need to use it efficiently.
In this same vein, we should think about what there is to gain from using open source geospatial databases like Google Earth. Of course, NGOs, students and private citizens have been using open sources satellite images for research for some time now.
I recently learned about some interesting work of a Master’s Candidate at Monterey Institute, Tamara Patton. Patton is focusing her research on the production capacity of Pakistan’s Khushab Plutonium Production Complex. She is using freely accessible geospatial tools to gather and analyze information about the complex’s capacity levels. The really interesting part comes when she takes the open source satellite images of the complex and turns those into 3-D models using a freely available program called Google Sketch-up. This program constructs the models with dimensions that Patton ascertained using tools in Google Earth and basic trigonometry. The model is then placed on the map and textured using observable features. This modeling can be used both as tool of analysis and as a means of clearly visualizing and communicating results.
As we think through new ways to use these tools, we should be aware that there may be trouble ahead. We cannot assume that information will always be so readily available. As nations and private entities continue to debate the line between privacy and security, it is possible to imagine that we are living in a golden age of open source information that will be harder to take advantage of in future. In a recent Financial Times article, Ron Dreibert of University of Toronto said: "We may look back on the period of the 1990s and 2000s as a brief period where we could freely communicate and seek information wherever we wanted..." Another concern with open source technology is reliability. Information from open source technologies can be manipulated, misused and misinterpreted easily.
And social networking has its drawbacks, beyond the mountains of inanity that can obscure useful insights. Sometimes social media has unintended consequences. While it did not deter or prevent the mission, it was less than ideal that the raid on Osama bin Laden’s compound was being unknowingly live-tweeted in real time.
In the end, the goal of using open source information technology and social networks should be to augment our existing arms control verification capabilities, and I challenge this community to think about how it can be done. For example, compliance with the Comprehensive Test Ban Treaty will be monitored through an International Monitoring System (IMS). The IMS is made up of four well-established monitoring techniques that will detect nuclear explosions. Could this already robust system be further integrated with social networks, providing independent confirmation of official conclusions? It is something to think about.
Cyber Arms Control?
And now to pivot just a bit, I want to make it clear that while I am interested in thinking about how we can improve arms control policy with the tools of the Information Age, I think terms like ‘cyber arms control’ can be confusing and misleading. Too often, security concepts that are not fully understood are put into boxes where they don’t belong. This is not surprising. As I noted at the beginning of my remarks, new concepts take time to mature. Theories about nuclear deterrence did not spring up overnight; it took years for us to understand the implications of what we created.
Nuclear arms control has focused on limiting large hardware—missiles, submarines and bombers—that have had an unquestioned military purpose. The technology used to make cyber weapons is dual-use in nature, easily available on the web, and for the most part, visible only in its effects. The ability to identify an attacker in real time or with high confidence is often elusive. There are no huge reactors or big ICBMs to spot from the sky. Further, the physical limits and constraints that we’ve applied to missiles and stocks of chemical weapons cannot apply when we’re talking about widely dispersed actors, some in and some out of government, and information and software rather than hardware. This inability to “see” the threat adds to the fog of war.
Knowing that the traditional tools of arms control policy are limited in how they apply to cyber-weapons and warfare, we are looking to new tools and policies to address cyber threats. There are, however, some experiences from which we can draw.
Confidence-building measures are a good place to start. We are taking into consideration how our expertise in arms control CBMs can be applied to international cooperation on cyber security. For example, the Nuclear Risk Reduction Centers, traditionally used to exchange information flowing from existing treaty regimes, may next be used to notify of cyber threats, incidents, or exercises. International exercises may be a good way to identify new challenges in crisis communication, or technical cooperation and exchange which may be useful in defying and responding to common threats. Even simple exchanges of national policy or legislation on cyber security can help reassure states of domestic capacities to deal with the emerging challenges, and promote discussion on common understandings and best practices.
I recognize, of course, that we will have to develop new ways to apply such confidence-building measures, but if implemented properly, they can establish the basis for further dialogue and help to establish norms and standards of behavior. The trick will be how to apply international norms and standards to ensure that the cyber world is nurtured and developed for the good of mankind and does not become the provenance of malign state actors or criminals—a real and present danger.
The Obama Administration is committed to engaging on these issues. In early November, my boss, Secretary Clinton, will attend the London Cyber Conference hosted by British Foreign Secretary William Hague. Leaders from over sixty countries will gather to discuss norms of acceptable behavior in cyberspace. The UN First Committee for Disarmament and International Security has also been discussing options and objectives for cyber policy over the past month, during course of their current session in New York.
Later in the month, my Bureau—the Bureau of Arms Control, Verification and Compliance—will host a conference on Arms Control in the Information Age that will do a deep dive on some of the topics I’ve discussed here. In December, the United States will participate in the ASEAN Regional Forum Conference of National Security Policymakers on Proxy Actors in Cyber Space. We will continue to engage on many fronts, developing international action to affirm norms, and building mutual confidence as we navigate this rapidly shifting environment.
So, there is a lot going on, but I wanted to focus today on one corner of it: the verification of arms control treaties and agreements. I said at the outset that I think I’ve come to the right place to spark some new ideas for this policy arena. As you leave here today, I challenge you to help us find new ways to use the amazing information tools at our disposal to move our country and the world closer to eliminating nuclear weapons, and to tackling the control and limitation of all weapons of mass destruction.
You know, I often think, as I sit in my office soaking in its history, that if the minds behind the Manhattan Project were clever enough to invent the nuclear bomb, then surely we are clever enough to get rid of it.
Thank you again for inviting me here to speak. I would now love to take some questions.