Forum on the Arms Trade
  • Home
  • Experts
    • View all - by location
    • View by issue expertise >
      • View all
      • US Policy and Practice >
        • Arms sales
        • Security assistance
        • Export control
        • Defense industry
      • International Instruments >
        • Arms Trade Treaty
        • CCW
        • Other instruments
      • Weapons >
        • small arms/light weapons
        • drones
        • landmines/cluster munitions
        • killer robots
        • cyber
        • explosive weapons
        • F-35
      • International Trade >
        • Global trade data/trends
        • Strategic trade control
        • Africa
        • Latin America
        • Middle East
        • Europe
        • Asia
      • After the Trade >
        • Harm to civilians
        • Gender
        • Child soldiers
        • Arms trafficking
        • Corruption
        • Environment
    • A to B >
      • Rasha Abdul Rahim
      • Jeff Abramson
      • Ray Acheson
      • Linda Åkerström
      • Adotei Akwei
      • Waleed Alhariri
      • Radhya al-Mutawakel
      • Alma Al-Osta
      • Christina Arabia
      • Peter Asaro
      • David Atwood
      • Kathi Lynn Austin
      • Deepayan Basu Ray
      • Brittany Benowitz
      • Seth Binder
      • Subindra Bogati
      • Laura Boillot
      • Matthew Bolton
      • Mark Bromley
      • Martin Butcher
    • C to G >
      • Verity Coyle
      • Anna Crowe
      • Maria Pia Devoto
      • Lode Dewaegheneire
      • Shannon Dick
      • Bonnie Docherty
      • Caroline Dorminey
      • Geoffrey L. Duke
      • Nils Duquet
      • Jennifer L. Erickson
      • Andrew Feinstein
      • Aude Fleurant
      • Denise Garcia
      • Dan Gettinger
      • Natalie Goldring
      • Colby Goodman
      • Hector Guerra
    • H to L >
      • William Hartung
      • Lisa Haugaard
      • Erin Hunt
      • Adam Isacson
      • Roy Isbister
      • Cesar Jaramillo
      • N.R. Jenzen-Jones
      • Kate Kizer
      • Guy Lamb
      • Edward J. Laurance
      • John Lindsay-Poland
    • M to R >
      • Daniel Mack
      • Daniel Mahanty
      • Nicholas Marsh
      • Stephen Miles
      • Elizabeth Minor
      • Yeshua Moser-Puangsuwan
      • Robert Muggah
      • Folade Mutota
      • Jasmin Nario-Galace
      • Amy Nelson
      • Linnet L. Wairimu Ng'ayu
      • Diana Ohlbaum
      • Iain Overton
      • Scott Paul
      • Samuel Perlo-Freeman
      • Allison Pytlak
      • Josh Ruebner
    • S to Z >
      • Alejandro Sanchez
      • Camilo Serna
      • Theo Sitther
      • Frank Slijper
      • Nate Smith
      • Mandy Smithberger
      • Anna Stavrianakis
      • Rachel Stohl
      • A. Trevor Thrall
      • Francesco Vignarca
      • Jodi Vittori
      • Mary Wareham
      • Leah Wawro
      • Doug Weir
      • Patrick Wilcken
      • Anne-Charlotte Merrell Wetterwik
      • Wim Zwijnenburg
  • U.S. Presidential Election 2020 - Candidate Positions
    • Arms Trade Treaty
    • Arms Sales to Saudi Coalition
    • Firearms Export Oversight
    • Candidate List >
      • Donald Trump
      • Joe Walsh
      • Bill Weld
      • Michael Bennet
      • Joe Biden
      • Michael Bloomberg
      • Cory Booker
      • Pete Buttigieg
      • Julián Castro
      • John Delaney
      • Tulsi Gabbard
      • Amy Klobuchar
      • Deval Patrick
      • Bernie Sanders
      • Tom Steyer
      • Elizabeth Warren
      • Marianne Williamson
      • Andrew Yang
  • Resource Page - USML Cat I-III to Commerce
  • Looking Ahead 2020 Blog
  • Resource Page - Arms Supplies: Turkey's Military Actions in Syria
  • Resource Page - Trump & Saudi Arms Sales
  • Resource Page - High School Debate
  • Congressional Arms Trade Measures 2019
  • Major Arms Sales Notifications Tracker
  • Events
  • Journalists
    • Journalists by Name
    • Journalists by Topic
    • "Exemplary Reporting" Winners
    • Media Spotlights
  • Get on the list
  • Support
  • About
  • Archives
    • All Archives
    • Expert Publications
    • Blog
    • Newsletter

Solving the Rubik’s cube: what’s next for norms in cyber space

12/27/2018

1 Comment

 
This is the fourth blog post in a series looking at an array of issues in 2019 related to weapons use, the arms trade and security assistance, at times offering recommendations.
Picture
Allison Pytlak
A slow drift toward a militarized cyber space has characterized the last few years. At the same time, an ever-growing patchwork of multilateral initiatives has sprung up to curtail hostile actions in this domain and articulate behavioral norms for states. From high-level political declarations to closed expert groups, governments, the tech sector, academics and others are full of ideas and suggestions. Yet, are these initiatives succeeding? Do they address human impact? Do they offer change, or accept and embody the same politicization and double standards that bedevil other security issues?  
 
In 2019, it is virtually certain that hostile cyber operations will continue to occur—both between governments, and between governments and citizens. What are these threats exactly, and how can the global community act to keep the peace in cyber space?
 
The threat, is real
 
2018 was another active year for hostile cyber operations, to put it mildly.  State-sponsored hacking groups zeroed in on prominent international entities such as the Organization for the Prohibition of Chemical Weapons, alongside other targets like universities and hotel chains. Data exposure schemes kept pace with data breaches. We learned more about the vulnerability of the United States’ electrical grid.
 
While these operations do not constitute the doomsday scenarios that early cyber watchers predicted, they have nonetheless generated an increasingly militarized response from governments and experts, in which it is taken for granted that this is and will continue to be a fighting domain, and the best we can do is establish some rules of the road for damage control. This mentality is reflected in the role that digital technologies now play in some national cyber strategies and military doctrines. For instance, in September 2018 the United States’ new National Cyber Strategy adopted an aggressive stance, promising to "deter and if necessary punish those who use cyber tools for malicious purposes." The U.S., the United Kingdom and Australia have been open about the use of offensive cyber tactics against the Islamic State. Germany has slowly been transitioning to a more offensive approach; other European countries have been open about seeking the same.  
 
The slow drift can also be seen in how and where states are discussing international cyber security. In the United Nations (UN), this is an offshoot of disarmament and arms control bodies. Other multilateral fora tend to bring together individuals with that background as well. Consequently there is frequently an effort to import and apply hard security concepts to this domain—“cyber deterrence” is one example; efforts to fit traditional arms control regime-style solutions are another.
 
Accepting the militarization of cyber space without question further risks adopting frameworks and guidelines that are more permissive of harm to the population than international law allows, pushing the possibility of achieving cyber peace further away.
 
Many responses, any real solutions?
 
Navigating through the volume of policy and normative proposals that exist to guarantee global cyber stability is a bit like trying to line up the colors in a Rubik’s cube: you can see some patterns, but getting all those squares to click into place is a challenge. Below is a non-exhaustive overview.
 
The UN, the world’s largest multilateral negotiating fora, has since 2004 been the home of a Group of Governmental Experts (GGE) on information and communications technologies, or ICTs for short. The early Groups examined existing and potential threats in cyberspace and possible cooperative measures to address them, while more recent ones worked to develop behavioral norms for actions in cyberspace, culminating in eleven norms that were recommended by the Group in 2015 and subsequently adopted by the General Assembly.  
 
This seems to have been a highpoint for the Group however—significant differences over foundational questions such as the applicability of international law and the UN Charter to cyber space prevented agreement on a report in the next round. The geopolitical lines along which countries were divided is nothing new (in general terms, the west versus the rest) yet the extreme degree to which this issue became polarized in 2018 was unexpected, and has resulted in a procedurally conflicted and potentially counterproductive two-track UN approach to one of the most ubiquitous security threats facing the international community today. In 2019, there will be two UN entities concurrently taking work forward on cyber security norms: an open-ended working group that originated from a Russian-led initiative, and a US-inspired GGE. Exactly how these entities will interact remains unknown and the cost and administrative burden of managing both is not insubstantial.
 
Some have noted that deadlock at the UN gives impetus to, and space for, the efforts of other stakeholders. Governments, the tech sector, and other experts have been interacting for years through the Global Commission on the Stability of Cyberspace, which, in November 2018 proposed a set of six norms toward cyber stability. Also in November, France launched its Paris Call for Trust and Security Cyberspace during the Paris Peace Forum. The Paris Call is unique in bringing together endorsements from government, industry, and non-governmental organizations, but so far lacks support of some states, including Russia, China, United States, India, and Brazil.
 
Within the technology sector, Microsoft has framed itself as something of a moral compass in this space, first by publishing its own International Cybersecurity Norms in 2015 and most recently by playing a driving role in the Cyber Tech Accord. The Accord binds together 60 companies to partner on initiatives that improve the security, stability and resilience of cyber space—although some critics argue that implementation has fallen short. Somewhere in between the norms and the Accord, Microsoft’s CEO also called for the development of a Digital Geneva Convention in 2017, building somewhat on the contributions of the International Committee of the Red Cross to the literature on the applicability of international humanitarian law to cyber space.
 
Clearly, from the number of times that I have used the word “norms” in the last several paragraph, both state and non-state actors alike are fans of developing some—or of implementing those that are already agreed. Yet what of something legally binding? That’s even more of a fraught issue, tangled up in geopolitical and ideological divide. Russia has been proposing a UN cyber treaty for well over a decade but has not gained sufficient support from other states, largely because elements of the draft it has put forward could legitimize some of their more nefarious domestic practices in curtailing internet freedom. Any new treaty-based initiative—and support for that does exist— would need to somehow account for this in a way that doesn’t isolate support or spark competition. It would also need to navigate existing regional and bilateral cyber security pacts.
 
Taking a people-centered approach in 2019
 
Perhaps the biggest blind spot in all the above initiatives is the human one. Very little information related to the human impact of cyber operations makes its way into multilateral discussion forums on cyber security and this contributes to institutionalization and taking for granted the broader societal harm of cyber conflict.
 
There is, however, an ever-growing and highly credible evidence base illustrating the negative uses of digital technology in repressing human rights, notably the rights to freedom of expression, speech, assembly, and privacy. This is not a practice limited to just a handful of governments, but one that is practiced in many parts of the world.
 
The human rights dimension of the cyber security agenda is usually separated out from the “international security” agenda, at least in the context of the UN. This is due in part to the structure of the UN itself, but possibly also because it’s politically awkward—some of the countries that are the largest proponents of cyber stability and norm development, for example, are also quietly permitting the export of digital surveillance technologies produced by companies in their jurisdiction. This has been an on-going debate among European Union countries in particular, in which the dual-use nature of digital surveillance technologies has been at times an excuse for not taking a meaningful policy response.  
 
Continuing to factor out human rights and humanitarian impact from inter-governmental discussions about global cyber security makes it easier to think of this domain in purely military and hard security terms. Our experience in banning nuclear weapons and regulating the global arms trade demonstrates that incorporating these perspectives can alter the discourse and generate people-centered responses.  
 
Where to from here?

Like a genie out of the bottle, it’s unlikely that the digital threats will decline in 2019, so to return to the question posed at the beginning of this blog: how can the global community act to keep the peace in cyber space?
 
First, we must stop using the same words, language, and approaches that we apply to traditional disarmament and security issues, and understand cyber space on its own terms: as both a medium in which conflict can occur, as well as a multi-faceted tool to cause disruption and harm offline. Trying to determine what a cyber bomb equates to in the kinetic world is futile; there is no such thing, and this of thinking encourages “round peg in square hole”-type solutions.
 
Yet, we cannot underestimate the vulnerability of digital networks and systems that prop up existing weapons and weapon systems. Nuclear weapons are vulnerable to cyber operation. The systems that enable unmanned aerial vehicles are vulnerable to cyber attacks. This should be further incentive to disarm.
 
Third, it’s frustrating that progress at the UN has been held hostage by power politics. It’s also concerning that two of the world’s largest cyber bullies are at the helm of new efforts. This can, however, be an opportunity for other states to step up and play constructive roles in bridging differences and brokering solutions,—as they’ve started to, along with other stakeholders.
 
Fourth, it will be important to harmonize efforts across the patchwork of responses identified here, in order to avoid redundancy and maximize knowledge and move toward implementation of what has already been agreed. States should establish the strongest norms against malicious operations—and reduce the motivation to pursue aggressive cyber capabilities.
 
Last, we must stop overlooking the human dimension and talking about cyber security in sanitized and faceless terms. Human rights considerations, for example, should be included in all discussions rather than being sidelined in the standard arms control and disarmament forums.


Allison Pytlak is the Programme Manager of Reaching Critical Will, Women’s International League for Peace and Freedom (WILPF)
 
1 Comment

Cyber Insecurity Under Trump

4/29/2017

1 Comment

 
This is the seventh entry in a series examining actions during the first 100 days of the new Trump administration and their possible implications on the arms trade, security assistance and weapons use in the future.
Pytlak
Allison Pytlak
Russia’s interference in the 2016 U.S. election was one of the biggest stories in recent history. "Cyberwar"’ and "cyber security" dominated headlines at the outset of Donald Trump’s presidency, even before his inauguration. Yet despite the unprecedented media chatter and controversy, the President’s response to cyber issues has been underwhelming. Key deadlines on publicly articulated deliverables have been missed entirely and other initiatives are lagging.  While there are inklings of plans to strengthen America’s online infrastructure and systems, including through partnership with the private sector, technology moves notoriously faster than politics. If President Trump doesn’t act soon, it will continue to be dangerously vulnerable.  

Much of the story about Trump’s first 100 days in the cyber context is rooted in the
scandal over whether or not the Russian government played a role in determining the outcome of the U.S. elections, through various hacking and doxing schemes, and by extension, if the then-presidential candidate had a role in any of it.  To refresh our memories, this first began in June 2016 when the Democratic National Committee reported an intrusion into its computer network and the cyber security firm CrowdStrike publicly blamed Russian hackers, following their investigation. As stolen emails from the committee began to appear on public sites, there were other voices – from the government and the intelligence community – reinforcing the view that the attacks originated from the Russian government.

In December the already suspected motive for these actions gained credence when the Washington Post
disclosed a secret CIA assessment that declared it “quite clear” that a Trump presidency was the ultimate goal of the hacks. In January, the CIA, FBI and NSA – referring to themselves collectively as the “intelligence community” – publicly concluded that Russia had used cyber methods in pursuit of “undermining public faith in the U.S. democratic process, denigrate Secretary [Hillary] Clinton, and harm her electability and potential presidency”.

While attribution in cyber space is
complex and difficult, it is not impossible. Good forensics can uncover digital fingerprints. Ascribing such a clear and conclusive motivation to a cyber operation is more unusual, often because the evidence is circumstantial at best. Not surprisingly, the intelligence report prompted a maelstrom of finger pointing, accusations and reactions from President Obama before leaving office.

The response from then President-elect Trump was quite clear, in that he said he would appoint a team to
provide an anti-hacking plan within 90 days of taking office. This was reinforced by a tweet on January 13 and followed up by an event on cyber security in late January that featured former New York City mayor Rudy Giuliani, who now leads a group tasked with building private sector partnerships on cyber security. At the time Trump said, “We must protect federal networks and data. We operate these networks on behalf of the American people and they are very important.”

The 90-day mark for this plan has now come and gone with nothing in sight nor any updates on its status.  As we now hit the 100-day milestone, most in the community are wondering if this plan will ever emerge.

Also languishing is the Senate Intelligence Committee’s probe into the election interference, including whether there was any coordination between the Kremlin and Trump. The Committee announced it had agreed on the scope of its investigation more than three months ago, and claims it has done some initial work. But it is significantly hampered by lack of capacity, recently
promising to add more staffers after being criticized for lacking full-time dedicated staff, and those working on it part-time said to lack investigative experience.

On the international front, the State Department recently
argued that a proposed new treaty to govern cyberspace would be “misguided” and “misses the mark.” Microsoft has recently begun to call for such an agreement, referring to it as a “Digital Geneva Convention." There are various multilateral discussion fora in which states meet to discuss behavioral norms in cyberspace that the United States participates in; some wonder if this will change.

The one bright spot is a pending
executive order on cyber security that is expected any day. Leaked drafts indicate that it could mandate agency-by-agency reviews of security practices and requiring agency compliance with the National Institute for Standards and Technology cyber security framework. It might also make it a policy to modernize information technology or encourage the expansion of the cyber workforce. Overall, the emphasis would be on improvement and modernization; which could lay the groundwork for related legislation.

This would be positive. Research shows us that that the more developed and technologically sophisticated a country is, the more vulnerable it becomes to hacking and other malicious cyber operations because so much of how it functions involves digital networks. This vulnerability is true for both foreign and domestic cyber attacks. As Symantec
recently noted, the 2015 hack of the Office of Personnel Management continues to impact the federal government technologically and financially, while state and local governments, as well as universities, find themselves under constant attack and struggling to defend the safety of the vast amount of information they keep.

It’s also clear that this is not a problem that will go away anytime soon. To date, most cyber "conflict" actually entails
low-level antagonistic actions like hacking, distributed denial of service (DDoS) attacks or similar. But what is very much on the minds of many governments is how to protect their critical infrastructure, which could range from electrical grids to, in the case of the United States, nuclear or other weapons systems. 

At what point does software become a weapon, and how can the arms control community, in the United States and elsewhere, address this? Experts believe it’s unlikely that a nuclear weapon could be detonated through a cyber operation or attack, but is a possibility not to be dismissed. More likely is that nuclear weapons software and associated systems could be altered as they are being built, or electronic signals might somehow be sent to nuclear weapons. Hackers could also wreak havoc through manipulating information that these systems depend on. The methods and means by which something like this, or other malicious operations, would occur require more thought.

Allison Pytlak is a Program Manager in the disarmament program (Reaching Critical Will) of the Women’s International League for Peace and Freedom
1 Comment

    About

    The "Looking Ahead Blog" features comments concerning short- to medium-term trends related to the arms trade, security assistance, and weapons use. Typically about 500-1000 words, each comment is written by an expert listed on the Forum on the Arms Trade related to topics of each expert's choosing.

    We have a number of special series including: 


    Looking Ahead 2019
    Looking Ahead 2018
    First 100 Days (April/May '17)

    Looking Ahead 2017

    Inclusion on the Forum on the Arms Trade expert list does not indicate agreement with or endorsement of the opinions of others. Institutional affiliation is indicated for identification purposes only.

    Archives

    December 2019
    July 2019
    April 2019
    January 2019
    December 2018
    May 2018
    December 2017
    May 2017
    April 2017
    January 2017
    December 2016
    October 2016
    June 2016
    May 2016
    April 2016
    June 2015
    May 2015
    March 2015

    Pdf's

    March 11 (2015)

    Categories

    All
    Adam Isacson
    Africa
    Alejandro Sanchez
    Allison Pytlak
    Amy Nelson
    Anna Stavrianakis
    Arms Sales
    Arms Trade Treaty
    Arms Trafficking
    Aude Fleurant
    Colby Goodman
    Corruption
    Cyber
    Dan Gettinger
    Danielle Preskitt
    Drones
    Environment
    Erin Hunt
    Europe
    Explosive Weapons
    First 100 Days
    Frank Slijper
    Gender
    Global Trade Trends
    Harm To Civilians
    Hector Guerra
    High School Debate '19 20
    High School Debate '19-20
    Humanitarian Disarmament
    Iain Overton
    Jeff Abramson
    John Lindsay Poland
    John Lindsay-Poland
    Kate Kizer
    Killer Robots
    Landmines/cluster Munitions
    Latin America
    Laura Boillot
    Looking Ahead 2017
    Looking Ahead 2018
    Looking Ahead 2019
    Looking Ahead 2020
    Maria Pia Devoto
    Martin Butcher
    Matthew Bolton
    Middle East
    Military Expenditures
    Natalie Goldring
    Nicholas Marsh
    Non State Actors
    Paul Holtom
    Rachel Stohl
    Ray Acheson
    Robert Muggah
    Robert Watson
    Roy Isbister
    SALW
    Samuel Perlo-Freeman
    Security Assistance
    Seth Binder
    Shannon Dick
    Suicide Bombing
    Sustainable Development
    Tobias Bock
    Transparency
    UN Register
    William Hartung
    Wim Zwijnenburg
    Yeshua Moser-Puangsuwan

    RSS Feed

Proudly powered by Weebly