| This is the fourth blog post in a series looking at an array of issues in 2022 related to weapons use, the arms trade and security assistance, often offering recommendations. |  Allison Pytlak |
Malicious cyber operations are already making headlines just weeks into the new year. Last week Ukraine was hit by an operation that defaced the websites of some governmental departments; two days later “highly destructive” malware was discovered on several private and governmental networks. Earlier in January, authorities blocked internet access in Kazakhstan following days of protest and an earlier crack down on social media platforms. Meanwhile, many companies, governments, and organizations are still dealing with the extensive fallout of the Log4j vulnerability which surfaced in December 2021.
What used to feel like science fiction is fast becoming a daily reality in our ever more wired lives. The scale and frequency of malicious cyber operations has intensified during the Covid-19 pandemic in line with a greater dependency on digital networks, even as digital divides persist. For instance, malware and ransomware attacks reportedly increased by 358% and 435% respectively in 2020. Software supply chain attacks rose by 650% last year while physical supply chains attacks have contributed to economic distortion. Disinformation, misinformation, and propaganda campaigns are increasingly affecting domestic political processes and Covid-19 pandemic response. A series of revelations about Pegasus spyware has demonstrated the extent to which authorities spy on individuals and organizations, and it is estimated that more than 486 million people were affected by internet shutdowns in 2021, an increase of 80% from the preceding year.
What this points to is not only that the misuse of information and communications technologies (ICTs) has become more frequent but also that ICTs are increasingly integrated into other methods of disruption, war fighting, and repression. While “cyber” was once viewed as a standalone domain, the use of cyber-related tactics or the targeting of ICTs directly has instead become a component of broader operations that pursue strategic goals. As just one example, the operation targeting Ukraine follows on from a history of Russia-linked cyber operations against the country—including one that knocked down Ukraine’s power grid in 2015—and has occurred in a context of current heavy military build-up and political tension.
For many perpetrators, cyber operations are attractive because they cause disruption and have impact but do not risk the potential blowback of a physical attack. They can also provide anonymity and/or ambiguity, when that is desired by those responsible. A growing number of governments publicly acknowledge that they possess or are developing offensive cyber capabilities—many of whom maintain that it is within their sovereign rights to do so, provided that such capabilities are used responsibly. This is a narrative not unfamiliar to those in arms control and non-proliferation. While there is some debate among experts about if such a neat line can be drawn between offensive and defensive operations, there is little doubt that a “militarization” of technology appears to be well underway.
While less visible than a bomb blast, cyber operations have human costs and can escalate political tension. When medical facilities are forced offline—something that is occurring with growing frequency—it means that people awaiting surgery or receiving other forms of care take are affected. When a government turns off its internet, diverse human rights and fundamental freedoms are negatively affected. Power outages can have knock-on effects for other critical infrastructure upon which scores of people depend. There are also differentiated impacts of cyber operations in relation to gender, age, race, and ability, which is only starting to be documented and discussed.
Despite being sometimes portrayed as a lawless “wild west”, state action in cyberspace ought to be constrained by and undertaken within the boundaries of existing international law, as well as a set of eleven voluntary norms that have been developed through processes at the United Nations (UN). Through these processes, all UN member states have affirmed the applicability of international law to cyberspace. Most also maintain that existing law and the UN normative framework is sufficient for addressing cyber-related threats and harms and guiding state behaviour.
Except that it isn’t sufficient, as the examples cited in this blog demonstrate— or at least, it isn’t always being adhered to. Agreement on the overall applicability of international law is positive, but it is also a blanket statement that does not account for some of the unique complications posed by cyber operations and ICT misuse, for instance in relation to the interpretation of certain legal principles (sovereignty, territoriality, due diligence, and self-defence). Additionally, some states maintain that the UN Charter applies in its entirety while others disagree. There are complications in relation to attribution and legal accountability. A few countries still do not accept the applicability of international humanitarian law to cyber space and some don’t see the relevance of international human rights law when discussing cyber in an “international peace and security” context.
In looking ahead to 2022, it is imperative that the international community take meaningful action to foster cyber peace by curtailing malicious cyber operations and challenging cyber-related militarism. Just as we are seeing in other areas where technology and military interests intersect, such as autonomous weapons, new and more specific law may well be required. Currently most countries feel that this is too political challenging, partially because the shadow of proposed cyber treaties past—and present—looms large (Russia, China, Tajikistan and Uzbekistan first proposed a draft cyber treaty in 2013, and some of these countries are now leading a controversial initiative to negotiate a UN instrument on cybercrime).
Given this context, focus must be placed for now on accountability and implementation of existing law and norms, as well as public exchange and sharing of how states interpret their legal responsibilities with respect to international cyber peace and security. This must go hand in hand with efforts to build resilience, capacity, and trust.
Several multilateral forums offer space to do just this. Within the UN system, the UNGA’s First Committee on Disarmament and International Security has just launched its second open-ended working group (OEWG) on ICTs which will build on the outcomes of the first one as well as those of the six UN expert groups that have been convened over the last nearly two decades. Most states and the OEWG Chair are in agreement that they do not want this forum to be just another “talk shop”. There are a few proposals on the table for accountability mechanisms, but it remains to be seen if the political will exists to develop them further. More than 50 states have also endorsed a proposal to develop a cyber programme of action, inspired partially by the programme of action on small arms and light weapons, which may gain traction in 2022. Within these forums, civil society and some states are also calling increasingly for human-centric approaches to international cyber security, a concept akin to that of humanitarian disarmament.
For us in the arms control and disarmament community, we can do more to call attention to the cyber-related risks of existing weapon systems, recognizing that those risks are powerful incentives to disarm and demilitarize. We can also do more to address the growing role of digital networks in facilitating the illicit trafficking of weapons, the potential role of existing arms control agreements to stop the spread of harmful digital technologies, and the pivot towards cyber products being undertaken by some traditional weapons producers. We can pull from our long and collective experience in challenging militarized narratives of “security” to push back against the willful misuse of ICTs, prevent cyber harm, and build cyber peace.
Allison Pytlak is a Program Manager in the disarmament program of the Women’s International League for Peace and Freedom (WILPF).
What used to feel like science fiction is fast becoming a daily reality in our ever more wired lives. The scale and frequency of malicious cyber operations has intensified during the Covid-19 pandemic in line with a greater dependency on digital networks, even as digital divides persist. For instance, malware and ransomware attacks reportedly increased by 358% and 435% respectively in 2020. Software supply chain attacks rose by 650% last year while physical supply chains attacks have contributed to economic distortion. Disinformation, misinformation, and propaganda campaigns are increasingly affecting domestic political processes and Covid-19 pandemic response. A series of revelations about Pegasus spyware has demonstrated the extent to which authorities spy on individuals and organizations, and it is estimated that more than 486 million people were affected by internet shutdowns in 2021, an increase of 80% from the preceding year.
What this points to is not only that the misuse of information and communications technologies (ICTs) has become more frequent but also that ICTs are increasingly integrated into other methods of disruption, war fighting, and repression. While “cyber” was once viewed as a standalone domain, the use of cyber-related tactics or the targeting of ICTs directly has instead become a component of broader operations that pursue strategic goals. As just one example, the operation targeting Ukraine follows on from a history of Russia-linked cyber operations against the country—including one that knocked down Ukraine’s power grid in 2015—and has occurred in a context of current heavy military build-up and political tension.
For many perpetrators, cyber operations are attractive because they cause disruption and have impact but do not risk the potential blowback of a physical attack. They can also provide anonymity and/or ambiguity, when that is desired by those responsible. A growing number of governments publicly acknowledge that they possess or are developing offensive cyber capabilities—many of whom maintain that it is within their sovereign rights to do so, provided that such capabilities are used responsibly. This is a narrative not unfamiliar to those in arms control and non-proliferation. While there is some debate among experts about if such a neat line can be drawn between offensive and defensive operations, there is little doubt that a “militarization” of technology appears to be well underway.
While less visible than a bomb blast, cyber operations have human costs and can escalate political tension. When medical facilities are forced offline—something that is occurring with growing frequency—it means that people awaiting surgery or receiving other forms of care take are affected. When a government turns off its internet, diverse human rights and fundamental freedoms are negatively affected. Power outages can have knock-on effects for other critical infrastructure upon which scores of people depend. There are also differentiated impacts of cyber operations in relation to gender, age, race, and ability, which is only starting to be documented and discussed.
Despite being sometimes portrayed as a lawless “wild west”, state action in cyberspace ought to be constrained by and undertaken within the boundaries of existing international law, as well as a set of eleven voluntary norms that have been developed through processes at the United Nations (UN). Through these processes, all UN member states have affirmed the applicability of international law to cyberspace. Most also maintain that existing law and the UN normative framework is sufficient for addressing cyber-related threats and harms and guiding state behaviour.
Except that it isn’t sufficient, as the examples cited in this blog demonstrate— or at least, it isn’t always being adhered to. Agreement on the overall applicability of international law is positive, but it is also a blanket statement that does not account for some of the unique complications posed by cyber operations and ICT misuse, for instance in relation to the interpretation of certain legal principles (sovereignty, territoriality, due diligence, and self-defence). Additionally, some states maintain that the UN Charter applies in its entirety while others disagree. There are complications in relation to attribution and legal accountability. A few countries still do not accept the applicability of international humanitarian law to cyber space and some don’t see the relevance of international human rights law when discussing cyber in an “international peace and security” context.
In looking ahead to 2022, it is imperative that the international community take meaningful action to foster cyber peace by curtailing malicious cyber operations and challenging cyber-related militarism. Just as we are seeing in other areas where technology and military interests intersect, such as autonomous weapons, new and more specific law may well be required. Currently most countries feel that this is too political challenging, partially because the shadow of proposed cyber treaties past—and present—looms large (Russia, China, Tajikistan and Uzbekistan first proposed a draft cyber treaty in 2013, and some of these countries are now leading a controversial initiative to negotiate a UN instrument on cybercrime).
Given this context, focus must be placed for now on accountability and implementation of existing law and norms, as well as public exchange and sharing of how states interpret their legal responsibilities with respect to international cyber peace and security. This must go hand in hand with efforts to build resilience, capacity, and trust.
Several multilateral forums offer space to do just this. Within the UN system, the UNGA’s First Committee on Disarmament and International Security has just launched its second open-ended working group (OEWG) on ICTs which will build on the outcomes of the first one as well as those of the six UN expert groups that have been convened over the last nearly two decades. Most states and the OEWG Chair are in agreement that they do not want this forum to be just another “talk shop”. There are a few proposals on the table for accountability mechanisms, but it remains to be seen if the political will exists to develop them further. More than 50 states have also endorsed a proposal to develop a cyber programme of action, inspired partially by the programme of action on small arms and light weapons, which may gain traction in 2022. Within these forums, civil society and some states are also calling increasingly for human-centric approaches to international cyber security, a concept akin to that of humanitarian disarmament.
For us in the arms control and disarmament community, we can do more to call attention to the cyber-related risks of existing weapon systems, recognizing that those risks are powerful incentives to disarm and demilitarize. We can also do more to address the growing role of digital networks in facilitating the illicit trafficking of weapons, the potential role of existing arms control agreements to stop the spread of harmful digital technologies, and the pivot towards cyber products being undertaken by some traditional weapons producers. We can pull from our long and collective experience in challenging militarized narratives of “security” to push back against the willful misuse of ICTs, prevent cyber harm, and build cyber peace.
Allison Pytlak is a Program Manager in the disarmament program of the Women’s International League for Peace and Freedom (WILPF).
RSS Feed