Democracy Lab

Burma's Lost Boys

The government in Burma is promising to clean up its act. But the army is still recruiting child soldiers.

Tucked away in a walled patch of dirt on the outskirts of Laiza -- a small town in northern Burma under the control of rebel fighters from the Kachin ethnic group -- eight children sit in olive fatigues and football shirts, chain-smoking cigarettes. Their hacking coughs, slow movements, and blank stares camouflage their real ages.

The group of boys, all between 13 and 16 years old, come from the most recent wave of child soldiers to defect from the Burmese army, fleeing from their own outposts and emerging from the land-mined jungle to surrender to rebel fighters from the Kachin Independence Army (KIA). The war has continued despite a series of government peace overtures to other rebel groups.

Despite assurances this year from the ruling junta that it is cleaning up its act in a bid to see Western sanctions lifted, recruitment of child soldiers remains rampant. This month, the British newspaper The Independent revealed that in the first three months of 2012 alone, the U.N. verified 24 instances of children being coerced to enlist -- the equivalent of two a week.

In return for cigarettes, the boys in Laiza share stories of how they were duped by army recruiters into signing up for service. Along the way they were forced to forge their own birth certificates, thereby erasing their identities and falsifying their ages to buffer the numbers in Burma's struggling military.

"We were on our way back from the cinema when soldiers saw us and followed," said Nay Myo Oo, a 14-year-old who was living in the south of the country. "They asked us why we weren't at school. Later, they came with trucks and picked us up. They said we would be paid, took us to a building, and forced us to sign a statement saying we were older than 18."

Overnight, Nay Myo Oo went from schoolboy to soldier, finding himself caught in a dusty, hot camp where boys suffered routine beatings and fought each other for food. Of the thirty boys he trained with, some, he says, were just eleven years old.

"They had mostly been abandoned by their parents," he said, "but others were just picked up from the streets. Talking at the camp was forbidden. If we made a mistake while cleaning our guns or during physical training, they would beat us with a bamboo stick or slap our faces."

For nine consecutive years, Burma has been on the U.N.'s so-called "List of Shame," a report published by the office of the U.N. Special Representative for Children and Armed Conflict, which exposes countries that use child soldiers. In Burma's case, the agency notes that both the government and rebel groups have recruited tens of thousands of children between them. As early as 2002, Human Rights Watch released a paper saying that Burma had more child soldiers than any other country in the world. The group estimated the number at around 70,000.

Declining morale in Burma's national army, high desertion rates, and a shortage of volunteers have created such high demand for new recruits that many boys, some as young as ten, are targeted in massive recruitment drives and forced to become soldiers.

A new action plan on child soldiers, signed on June 27 this year between the U.N. and the Burmese government, has given hope that the trend can be reversed. If it works, some of the tens of thousands of children who have been pushed into military service may be able to return to their homes.

The confidential agreement pledges the government to stop recruiting child soldiers, and crucially allows underage recruits to return home without risk of prosecution. The agreement hopes to ensure that illegal recruiters will be held accountable under Burmese law for picking up children. In a huge shift in government policy, the military has also agreed to allow the U.N. and other organizations access to camps to check for underage recruits.

Critics of the deal, including some humanitarian aid workers who have been involved in the negotiations, say that the military is engaging with the international community as a tactic for ensuring the survival of the military-dominated regime.

They say that the government's refusal to negotiate on certain aspects of the agreement -- most crucially an enforced 72-hour notice period before monitors can be granted entry to military compounds -- reveals a lack of political will to reach a genuine solution to the problem.

"It's shocking that the U.N. even agreed to this plan," says Brad Adams, executive director of Human Rights Watch's Asia Division. "It should have been a non-starter. Child recruitment in Burma is a longstanding and chronic issue, and the government should not be given any benefit of the doubt on this." He notes that providing advance notice of inspections gives the military more than enough time to conceal anything it wants.

Maung Zarni, of the London School of Economics, argues that the persistence of the problem of child soldiers is intimately connected with the political system in Burma, which has been built primarily to serve the needs of the reigning military.

"Burma's military units are best and most accurately understood as a web of nationwide criminal organizations," says Zarni. "They will do the bare minimum in terms of political liberalization and observing international norms. On child soldiers -- or, for that matter, any other issues -- the Burmese consider human rights, NGOs, the U.N., human rights conventions, or any of those things nothing more than a nuisance." He says that the military is so reliant on the use of child soldiers that it will probably take years to wean it of the practice.

Until the nominally civilian government was formed in 2010, the ruling State Peace and Development Council (SPDC) consistently denied the presence of any child soldiers in the Burmese army. The state-run media dismissed reports of child soldiers as "slanderous accusations," and declared that the government was cooperating with U.N. agencies in order to prove that the allegations were untrue.

Now, a year after he was taken away by the Burmese armed forces on his way to the movies, Nay Myo Oo is a prisoner of war with the Kachin Independence Army. His decision to desert was, he says, prompted by a bad beating at the hands of his commander. Jumping 20 meters from the top of a nearby dam, he swam across a lake, dumped his uniform, and ran half-naked through a jungle filled with land mines until he reached an enemy position. When the KIA found him they beat him again. Eventually, though, they took him to their intelligence headquarters in Laiza.

Nay Myo Oo has no way of contacting his family, and lives in fear that he will never be able to return home. "If they caught me they would have killed me, or put me in prison for many years," he says. "Here we have three meals a day and free time to play. I'll stay here."

In Burma, children like Nay Myo Oo have become a commodity, bought and sold by military recruiters who are desperate to meet recruitment quotas imposed by their superiors.

The government insists that the armed forces consist entirely of volunteers and that the minimum age for recruitment is 18. Soldiers and other witnesses interviewed by monitors, by contrast, have repeatedly testified that most new recruits are conscripted, and that the majority of them are under 18 years old.

Army officers face considerable pressure to fill recruitment quotas. Battalion commanders who fail to meet their targets are subject to a range of disciplinary action, including loss of command. As a result, battalions and recruiting centers offer cash to their own soldiers to bring in recruits, and sometimes even "buy" recruits from civilian brokers and the police.

Recruiters stake out train stations, bus stations, markets, and other public places, always on the watch for young adolescent boys on their own. The boys are threatened with arrest for loitering or the failure to produce identification, and are then intimidated, coerced, or if necessary beaten into "volunteering" for the army.

Dire conditions and regular beatings, along with the fact that many children never see any pay because of rampant corruption among their officers, lead many of the young soldiers to defect.

Some, like the boys in Laiza, run through the front lines to rebel territory, or take shelter in refugee camps. Some join up with rebel forces to fight back against the government. Others cross borders and remain stranded in Thailand or China. Many of those who try to escape are caught, imprisoned for desertion, or simply killed.

Despite repeated attempts by the UN to calculate the number of children involved in conflicts in Burma, the secretive nature of the military and lack of access to areas controlled by the country's myriad armed ethnic groups means a figure has been impossible to estimate. The simple issue of access -- getting independent advisors permission to enter military sites for research -- has been a constant problem.

"The real test of the Burmese government's political commitment to this issue will lie in the measures they take to effectively end this practice," says Richard Clark from the humanitarian organization Child Soldiers International. "A concrete sign of this commitment would be to allow the U.N. timely access to all its military sites." So far, though, Burma's rulers appear unwilling to comply.



Code Red

How Capitol Hill politicking has undermined cybersecurity--again. 

The U.S. Congress has been considering two significant cybersecurity bills, the Revised Cybersecurity Act of 2012, which failed a procedural vote in the Senate on Thursday, and the Cyber Intelligence Sharing and Protection Act (CISPA) in the House of Representatives.* Their significance comes from their shortcomings: Both bills have fallen prey to the limits of the current American political climate, where special interests and disputes over the appropriate role of government have combined to harm national security -- and, as a result, neither will do much to protect the United States from cyberthreats.

Congress knows that weak cybersecurity endangers the country -- and that America is dangerously unprepared -- but it cannot muster a majority to support serious defensive measures. The same forces that have kept Capitol Hill in gridlock on many important issues have also blocked effective cybersecurity legislation. That said, Congress does not want to be in the position, after the inevitable cyberdisruption, of having to say it knew but did nothing.

The political solution to gridlock is to pass weak legislation and pretend it will work. This is the CISPA story. House Republicans created a Cybersecurity Task Force last year to develop ideas to strengthen cybersecurity. The report they issued in October was fair and accurate. Had the House enacted its unanimous recommendations, which included regulation of critical infrastructure, the nation would be safer. The recommendations formed the basis of a comprehensive bill introduced in the Homeland Security Committee. Unfortunately, for reasons that are unclear, but likely relate to concerns about the Department of Homeland Security (DHS), small-government ideology, and the pressures of an election year, the House suddenly reversed course and withdrew the comprehensive cybersecurity bill from consideration, with some members saying that they no longer supported the report they had endorsed a few months earlier.

The demise of the task force-inspired bill meant the House needed something to take its place. The solution was to elevate CISPA. CISPA began as a measure to remove the legal impediments to information sharing between companies and the government. This information can include "signatures" and other cyberthreat indicators, such as intelligence information, reports of successful penetrations, and information on the identities or network addresses of the "attacking computers" (This category raises potential privacy problems that CISPA worked hard to address). Many people agree that the United States needs to update legislation on communications and privacy, and CISPA does good work in this regard (pace the privacy community), but it is not really a cybersecurity bill and sharing information is a feeble response to a serious threat.

Politicians like information sharing because it doesn't actually require them to do anything. Information sharing was a central part of the Clinton administration's cybersecurity policy created in 1998 by Presidential Decision Directive 63. Information sharing didn't work then, it hasn't worked since, and it won't work now. America is more vulnerable to cyberattack after years of relying on voluntary action and information sharing because information sharing does not change the economic incentives for inaction. Companies assess the probability that a threat will become an attack, and if there is an attack, whether they will be held liable. They weigh the cost of preventive measures against the risk of liability. Almost all conclude that the liability risk for cyberattack is too low to justify greater effort. This is a sensible business decision but does not help national security. Sharing cyberthreat information is not enough to protect critical infrastructure because it is the attacks we don't know about, the attacks that exploit unknown vulnerabilities, that create the greatest risk.

Particularly after their experience with the "warrantless surveillance program," where companies that cooperated faced a plethora of lawsuits, corporations are understandably reluctant to share information with the government. CISPA would lower the risk of sharing information by offering them liability protection, but it does not create incentives for securing networks. In private, some members of Congress will tell you that they know CISPA is not enough. Nevertheless, in public, they trumpet CISPA as a cybersecurity bill. One powerful motive for its passage, as a House member privately told companies, was that it would "help protect you from regulation."

The bogeyman of regulation appeared in the Lieberman-Collins bill (now the Revised Cybersecurity Act of 2012), which incorporated language from bills drafted by Senators Jay Rockefeller, Olympia Snowe, Dianne Feinstein, and Tom Carper. The bill, in draft for three years, gave DHS the ability to regulate critical infrastructure. This provoked howls of rage from some conservative opponents because it ran contrary to the belief that the private sector does not need help from big government. There are sound reasons to be critical of Keynesian economics without also sacrificing public goods. Big government is best avoided, to be sure, but no sane person has ever said that the private sector can carry the burden of national security. Nor is anyone calling for an end to Federal Aviation Administration regulation and instead relying on market incentives for safe flight. The fate of the cybersecurity bills is part of a larger and damaging political debate on the role of government.

To be fair, early drafts of the Cybersecurity Act had problems. No one on either side of the aisle was comfortable giving DHS more authority -- its failure to perform in the first years of its existence told heavily against it. What's more, the bill did not precisely define what critical infrastructure would be covered by the new law, giving the impression that DHS would regulate the entire economy. And it was too prescriptive, requiring DHS to approve companies' cybersecurity plans in advance -- a sure way to ensure delays and backlogs.

At the same time, proposed amendments from opponents were ridiculous. To limit the definition of "covered" critical infrastructure, they proposed that only facilities where cyberattack would produce "a mass casualty event comparable to the consequences of a weapon of mass destruction," "mass evacuations of a major population center," or "catastrophic economic damage" would be covered. The Stuxnet worm, for example, would not have been caught under this definition. Amendments like these showed that many opponents of the bill, in and out of Congress, are not serious about cybersecurity.

When the Cybersecurity Act was finally introduced in February, many issues had been fixed. DHS would no longer approve plans in advance. Company CEOs would only need to certify once a year that they had taken steps to secure their networks, using measurable outcome-based guidelines. DHS would not prescribe how they should do this, but simply define outcomes that a company could then use any technology or technique to achieve. This was very light regulation, but for some it was still too much.

Encouraged by business interests, seven ranking minority members from relevant Senate committees rushed an alternative bill into play. The first draft of this alternative bill was simply a copy of early versions of the Lieberman-Collins bill, with the new authorities removed. It, like the "mass casualty" definition, was intended only to block the Cybersecurity Act, not to make Americans more secure -- any politician or lobbyist will tell you it is hard to stop something with nothing.

The Revised Cybersecurity Act that reached the floor last week was drastically amended in an effort to secure more support. One amendment that did not survive built on ideas from Senators Sheldon Whitehouse and Jon Kyl. It would have kept a standard-based approach and annual certification, but made it voluntary for all companies except those that the government designated as critical to national security. An example would be a critical defense facility in a remote area that depended on a small electrical company whose networks may be vulnerable to attack.

This approach could have worked. The only requirement would have been an annual certification by CEOs. Critical infrastructure would have been protected. And DHS would not have become an über-regulator; instead, existing regulatory agencies would have overseen compliance with cybersecurity standards.

Alas, the Revised Cybersecurity Act of 2012 relies on voluntary action -- for everyone, regardless of their importance to national security. But what everyone does now is entirely voluntary, and more of the same will not improve security. The bill offers weak incentives for companies to certify that their networks are secure. It continues the overreliance on information sharing, accompanied by complicated protections to assuage the privacy community. Regulatory agencies can make cybersecurity standards mandatory to the limits of their existing authorities. The bill simply translates the status quo into legislation -- a status quo we all know is inadequate.

Few companies are likely to certify themselves because the incentives in the bill don't compensate for the regulatory risk this creates. A promise to "study" procurement preferences isn't much of an incentive -- it's like promising to study whether you should repay someone who lent you money -- and in any case, infrastructure companies are often sole providers for whom "preference" is not an incentive. The basic problem -- true since 1998 -- is there are no incentives sufficient to make companies in most critical infrastructure sectors take voluntary action to bring the security of their networks to the level needed for national defense.

Congress could fix this if it revised the Cybersecurity Act one more time to give the federal government the ability to mandate compliance with reasonable standards when this is needed to defend the nation, but there is probably not enough time before Congress goes out of session to do this. Most observers believe that the United States will only get effective cybersecurity legislation after there has been a crisis and that the country will then overreact, trampling privacy and putting in place rigid requirements. No one on the Hill wants this outcome, but it may be unavoidable.

The fate of cybersecurity legislation is symptomatic of a larger political crisis. Congress knows there is a problem, but cannot agree on a fix. That the cybersecurity bills fall short is not the fault of the sponsors and drafters of the bills, whose goal has always been to protect the nation. They have struggled for years with difficult issues and an intransigent opposition from shrink-government zealots and business groups. Whether these bills become law or not, the task of finding new, effective ways to secure the country's infrastructure and networks will now revert to the executive branch.

* This article has been updated to reflect the Senate's vote on Thursday.

AFP/Getty Images