This is the fourth blog post in a series looking at an array of issues in 2019 related to weapons use, the arms trade and security assistance, at times offering recommendations.
In 2019, it is virtually certain that hostile cyber operations will continue to occur—both between governments, and between governments and citizens. What are these threats exactly, and how can the global community act to keep the peace in cyber space?
The threat, is real
2018 was another active year for hostile cyber operations, to put it mildly. State-sponsored hacking groups zeroed in on prominent international entities such as the Organization for the Prohibition of Chemical Weapons, alongside other targets like universities and hotel chains. Data exposure schemes kept pace with data breaches. We learned more about the vulnerability of the United States’ electrical grid.
While these operations do not constitute the doomsday scenarios that early cyber watchers predicted, they have nonetheless generated an increasingly militarized response from governments and experts, in which it is taken for granted that this is and will continue to be a fighting domain, and the best we can do is establish some rules of the road for damage control. This mentality is reflected in the role that digital technologies now play in some national cyber strategies and military doctrines. For instance, in September 2018 the United States’ new National Cyber Strategy adopted an aggressive stance, promising to "deter and if necessary punish those who use cyber tools for malicious purposes." The U.S., the United Kingdom and Australia have been open about the use of offensive cyber tactics against the Islamic State. Germany has slowly been transitioning to a more offensive approach; other European countries have been open about seeking the same.
The slow drift can also be seen in how and where states are discussing international cyber security. In the United Nations (UN), this is an offshoot of disarmament and arms control bodies. Other multilateral fora tend to bring together individuals with that background as well. Consequently there is frequently an effort to import and apply hard security concepts to this domain—“cyber deterrence” is one example; efforts to fit traditional arms control regime-style solutions are another.
Accepting the militarization of cyber space without question further risks adopting frameworks and guidelines that are more permissive of harm to the population than international law allows, pushing the possibility of achieving cyber peace further away.
Many responses, any real solutions?
Navigating through the volume of policy and normative proposals that exist to guarantee global cyber stability is a bit like trying to line up the colors in a Rubik’s cube: you can see some patterns, but getting all those squares to click into place is a challenge. Below is a non-exhaustive overview.
The UN, the world’s largest multilateral negotiating fora, has since 2004 been the home of a Group of Governmental Experts (GGE) on information and communications technologies, or ICTs for short. The early Groups examined existing and potential threats in cyberspace and possible cooperative measures to address them, while more recent ones worked to develop behavioral norms for actions in cyberspace, culminating in eleven norms that were recommended by the Group in 2015 and subsequently adopted by the General Assembly.
This seems to have been a highpoint for the Group however—significant differences over foundational questions such as the applicability of international law and the UN Charter to cyber space prevented agreement on a report in the next round. The geopolitical lines along which countries were divided is nothing new (in general terms, the west versus the rest) yet the extreme degree to which this issue became polarized in 2018 was unexpected, and has resulted in a procedurally conflicted and potentially counterproductive two-track UN approach to one of the most ubiquitous security threats facing the international community today. In 2019, there will be two UN entities concurrently taking work forward on cyber security norms: an open-ended working group that originated from a Russian-led initiative, and a US-inspired GGE. Exactly how these entities will interact remains unknown and the cost and administrative burden of managing both is not insubstantial.
Some have noted that deadlock at the UN gives impetus to, and space for, the efforts of other stakeholders. Governments, the tech sector, and other experts have been interacting for years through the Global Commission on the Stability of Cyberspace, which, in November 2018 proposed a set of six norms toward cyber stability. Also in November, France launched its Paris Call for Trust and Security Cyberspace during the Paris Peace Forum. The Paris Call is unique in bringing together endorsements from government, industry, and non-governmental organizations, but so far lacks support of some states, including Russia, China, United States, India, and Brazil.
Within the technology sector, Microsoft has framed itself as something of a moral compass in this space, first by publishing its own International Cybersecurity Norms in 2015 and most recently by playing a driving role in the Cyber Tech Accord. The Accord binds together 60 companies to partner on initiatives that improve the security, stability and resilience of cyber space—although some critics argue that implementation has fallen short. Somewhere in between the norms and the Accord, Microsoft’s CEO also called for the development of a Digital Geneva Convention in 2017, building somewhat on the contributions of the International Committee of the Red Cross to the literature on the applicability of international humanitarian law to cyber space.
Clearly, from the number of times that I have used the word “norms” in the last several paragraph, both state and non-state actors alike are fans of developing some—or of implementing those that are already agreed. Yet what of something legally binding? That’s even more of a fraught issue, tangled up in geopolitical and ideological divide. Russia has been proposing a UN cyber treaty for well over a decade but has not gained sufficient support from other states, largely because elements of the draft it has put forward could legitimize some of their more nefarious domestic practices in curtailing internet freedom. Any new treaty-based initiative—and support for that does exist— would need to somehow account for this in a way that doesn’t isolate support or spark competition. It would also need to navigate existing regional and bilateral cyber security pacts.
Taking a people-centered approach in 2019
Perhaps the biggest blind spot in all the above initiatives is the human one. Very little information related to the human impact of cyber operations makes its way into multilateral discussion forums on cyber security and this contributes to institutionalization and taking for granted the broader societal harm of cyber conflict.
There is, however, an ever-growing and highly credible evidence base illustrating the negative uses of digital technology in repressing human rights, notably the rights to freedom of expression, speech, assembly, and privacy. This is not a practice limited to just a handful of governments, but one that is practiced in many parts of the world.
The human rights dimension of the cyber security agenda is usually separated out from the “international security” agenda, at least in the context of the UN. This is due in part to the structure of the UN itself, but possibly also because it’s politically awkward—some of the countries that are the largest proponents of cyber stability and norm development, for example, are also quietly permitting the export of digital surveillance technologies produced by companies in their jurisdiction. This has been an on-going debate among European Union countries in particular, in which the dual-use nature of digital surveillance technologies has been at times an excuse for not taking a meaningful policy response.
Continuing to factor out human rights and humanitarian impact from inter-governmental discussions about global cyber security makes it easier to think of this domain in purely military and hard security terms. Our experience in banning nuclear weapons and regulating the global arms trade demonstrates that incorporating these perspectives can alter the discourse and generate people-centered responses.
Where to from here?
Like a genie out of the bottle, it’s unlikely that the digital threats will decline in 2019, so to return to the question posed at the beginning of this blog: how can the global community act to keep the peace in cyber space?
First, we must stop using the same words, language, and approaches that we apply to traditional disarmament and security issues, and understand cyber space on its own terms: as both a medium in which conflict can occur, as well as a multi-faceted tool to cause disruption and harm offline. Trying to determine what a cyber bomb equates to in the kinetic world is futile; there is no such thing, and this of thinking encourages “round peg in square hole”-type solutions.
Yet, we cannot underestimate the vulnerability of digital networks and systems that prop up existing weapons and weapon systems. Nuclear weapons are vulnerable to cyber operation. The systems that enable unmanned aerial vehicles are vulnerable to cyber attacks. This should be further incentive to disarm.
Third, it’s frustrating that progress at the UN has been held hostage by power politics. It’s also concerning that two of the world’s largest cyber bullies are at the helm of new efforts. This can, however, be an opportunity for other states to step up and play constructive roles in bridging differences and brokering solutions,—as they’ve started to, along with other stakeholders.
Fourth, it will be important to harmonize efforts across the patchwork of responses identified here, in order to avoid redundancy and maximize knowledge and move toward implementation of what has already been agreed. States should establish the strongest norms against malicious operations—and reduce the motivation to pursue aggressive cyber capabilities.
Last, we must stop overlooking the human dimension and talking about cyber security in sanitized and faceless terms. Human rights considerations, for example, should be included in all discussions rather than being sidelined in the standard arms control and disarmament forums.
Allison Pytlak is the Programme Manager of Reaching Critical Will, Women’s International League for Peace and Freedom (WILPF)