DiploFoundation, with the support of Microsoft, organised the web discussion: Cyber-armament: A heavy impact on peace, economic development, and human rights. This webinar was the first in the series of cyber-diplomacy web discussions which aim to map trends; introduce challenges; clarify open issues on the negotiation table; outline processes where discussions are happening; and explain how all of us can get involved. Chris Painter (Commissioner of the Global Commission on Stability of Cyberspace, and former Co-ordinator for Cyber Issues at the US State Department) and Oleg Demidov (Cyber Researcher at UN Institute for Disarmament Research [UNIDIR]) joined us to discuss cyber-armament. The discussion was moderated by Vladimir Radunović (DiploFoundation). Radunović explained that this webinar looks into the development trends of states’ offensive cyber capabilities; and the potential consequences of the growing number, sophistication, and power of cyber-attacks conducted against countries and critical components of societies.
Radunović began by stating that we might have had the utopian belief that cyberspace will bring us prosperity only. Nevertheless, cybersecurity has become an issue. Not only our systems are very vulnerable (and new ones, like Internet of Things [IoT] and smart concepts seem even more so), but highly critical societal components – like energy grids - are becoming digitised at the same time. Threat actors have expanded from geeks to criminals, to political groups and states. It may seem that we have moved to a dystopian scenario. The good news is that the international community is putting efforts to reach agreements on how to minimise risks and develop rules for responsible behaviour for states and other stakeholders in cyberspace. Still, news articles regarding cyber-attacks against critical elements of the society, and mutual accusations for these attacks are becoming common. It might lead us to question whether we actually live in a time of cyberwar - or, since it is hard to define what cyberwar is - whether we live in time of cyber peace.
Do we live in a time of cyber peace?
Painter stated that we live in a time of quasi-peace – there are threats in cyberspace, states are developing offensive cyber capabilities, and malicious actors are making cyberspace unstable. However, we have never lived in total peace in the physical world either, so the dichotomy between cyberwar and cyber peace is false. We are in an equilibrium, trying to preserve stability and peace in order to reap the benefits the Internet can bring.
Demidov noted that it is increasingly more difficult to draw the line between peacetime and war. Formally, it is still peacetime, because there was never a consensus that a cyber impact, a cyber operation, or a cyber-attack breached the threshold of an armed attack, aggression or even the use of force, as these terms are understood in the charter of the UN. However, it is becoming increasingly difficult to assess whether any of the incidents that occurred actually beached this threshold, and to reach consensus on whether it did.
What are the possible consequences on peace, economic development, and human rights?
Painter stated that cybersecurity is not only a national security issue, but also an economic one. For example, theft of intellectual property has an impact on the future of viability, economy, and innovation. There is still progress to be made on making cybersecurity a core policy issue. While presidents, leaders, and prime ministers mention it in their speeches, high-level national security advisors, economic advisors or secretaries of foreign affairs ministries are rarely present in the discourse.
Demidov highlighted an increase in impact and interest of non-governmental actors, like private companies, in the norm shaping agenda with regard to cybersecurity issues. In Demidov’s opinion, this is entirely natural - the increasing involvement from the industry and technical community reflects the concerns and risks these actors face due to exacerbated malicious activities in cyberspace. They are the first line of defence, since they create the products, software, hardware, and provide services in the digital economy. They are invested in escalating their interests and responses to the international community discussion level and even to the level of international norms. This trend brings communities of policymakers, government officials, and national security decision makers closer to the industry and technical community, and helps them to shape a common vision on how to approach those issues.
Cyber-armament: is there such a thing?
Radunovic briefly presented the mapping of offensive cyber-capabilities undertaken by the Geneva Internet Platform (GIP) Digital Watch Observatory. The mapping gathered evidence from official documents and media coverage, and detected that countries are increasingly investing in offensive cyber capabilities. According to the evidence gathered, as of October 2019, at least 24 countries have officially revealed that they possess or are developing offensive cyber capabilities.
Painter opined that the term ‘cyber-armament’ is a misnomer – there are no cyber arms that can be stocked as conventional arms. Rather, cyber weapons are capabilities and vulnerabilities that can be used once. The term ‘cyber-armament’ can imply that cyber weapons have to be controlled and limited; however, there is no practical way to do so. All states develop offensive cyber-capabilities – either by themselves or by outsourcing it – and transparency in how they are used is crucial. Instead of putting forward a legal regime that will contain and control cyber armament, focus should be put on their possible impacts by determining what targets are off-limits.
Demidov suggested focusing not only on offensive cyber-capabilities, but also on activities, actions, operations for which and in which those capabilities are deployed. There are two parameters that can be used for the assessment of those operations: (a) the effects that they produce (damage, human casualties, disruption of networks, economic impact, etc.) and (b) the intended purpose of those activities. Based on the parameters of purpose and effects in the use of any activities in cyberspace, basic metrics for categorising them as either malicious activities or aggressive acts can be set. In terms of monitoring these malicious activities in cyberspace and the capabilities that are used to conduct such activities; one of the ways are regimes for expert controls that apply to dual-use items, such as the Wassenaar regime. The efficiency of these monitoring frameworks for dual-use technology is controversial. They can be efficient when it comes to specialised hardware, firmware, or tangible components that are specifically designed, used, and manufactured to be deployed in specific types of operations in cyberspace. However, it is still challenging to deploy effective monitoring and verification mechanisms for software, because software does not have permanent characteristics - code can be changed.
What are the critical infrastructure that can be targeted by cyber operations?
In Painter’s opinion, each state will define what is critical to them, as critical infrastructure indicates what is critical to one particular society; that if it goes down or it is compromised it will have widespread societal, economic, and political effects. Some core sectors that each country is likely to include in their definition of critical infrastructure are electrical power grids, financial and telecommunications systems. The global core of the Internet and election systems are also issues that have been put forward as part of critical infrastructures. Painter noted that we have to be open to thinking about how to apply the terms we have already agreed to to new technologies in order to protect what is really important to us.
Demidov highlighted the regulatory efforts across different state and regional jurisdictions to develop specific rules, legislation, and guidelines for the protection of critical information infrastructures. There are certain similarities in approaches between countries that have nothing in common. For example, principles and methodologies embedded into the EU directive and network in information security of 2016 and the recent legislation on protection of critical information infrastructure in Russia are quite similar in terms of parameters and criteria that help them define what critical information infrastructure is, as they are both based on the notion of essential services needed by a significant share of the population to lead normal lives. One more way to define critical infrastructure could be the possibility and probability of human casualties and damage to human health and life in case this service or this infrastructure is disrupted or cyber-attacked.
Are casualties likely to happen - and would this be a game-changer?
Painter stated that we have been fortunate not to have witnessed any loss of life as a consequence of cyber-attacks. That is in part because nation states do not have an incentive to do that, as they would cross the threshold of use of force (except when cyber operations are part of conventional war). Terrorists are more interested in causing death and destruction in physical ways - they plan and proselytise through cyber means, but they do not attack the infrastructure. Nevertheless, loss of life and destruction as a consequence of a cyber-attack would raise alarm bells in the international community and make cybersecurity a higher priority for policymakers.
Demidov noted that one of the major goals behind the international community's efforts to develop rules of responsible behavior and norms in cyberspace is to create a mechanism before the ‘cyber Pearl Harbor’ happens. He also noted that it could be a game-changer, but it would depend on whether such an incident would become public, as well as on its scale.
Where are the discussions taking place, and how can we get involved?
Demidov noted that there are different intensive developments in discussions on cybersecurity norms, capacity-building efforts, and other available options and instruments within the UN. Those discussions are being shaped and conducted within several tracks. The most well-known among all of them are the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG), both established based on two different resolutions in 2018. The provisions in the mandates of the two groups are very similar, and both groups are using the work of previous GGEs as the basis for their activities. The first substantive session of the OEWG in September 2019 showed that the GGE and OEWG, as well as their secretariats and the researchers supporting them, are co-operating and co-ordinating their activities. Within the UN itself, there are a number of efforts to deploy proper co-ordination of activities related to cybersecurity, capacity building, awareness raising, training, sharing of resources and information, in order to address the challenges of cybersecurity and the tasks of cybersecurity capacity building in a co-ordinated manner.
Painter noted that both the GGE and OEWG have made efforts to reach out to other stakeholders. Painter enumerated various efforts that supplement and inform the two UN processes: regional efforts such as the African Union (AU), the Organisation of American States (OAS), ASEAN Regional Forum (ARF), Organization for Security and Co-operation in Europe (OSCE); non-governmental efforts, such as the Global Commission on Stability of Cyberspace (GCSC), Global Forum on Cyber Expertise (GFCE), the Paris Call, the Siemens Charter, and the Microsoft Accord. He underlined the importance of cyber capacity building, which should prepare countries for dealing with cyber issues on a technical and policy level – including the ability to participate in debates on norms, rules, and consequences.