Stay networked. Get informed. Broadcast your projects.
Is cyber-armament a growing trend? What are the main diplomatic responses? And why is the private sector calling for a global political dialogue? This post analyses cyber-armament as a growing trend, and looks at diplomatic and private sector initiatives on tackling cyber-conflicts. It also makes reference to DiploFoundation’s latest report, Towards a secure cyberspace via regional co-operation.
When a power outage amounting to 200 megawatts unexpectedly struck Kiev on Sunday, 18th December 2016, leaving the northern part of the city without electricity at temperatures somewhere below zero, those responsible from Ukrenergo, the national energy company, started investigating a possible cyber-attack. A similar attack, that occurred in Ivano-Frankivsk a year before, had been attributed by some cybersecurity experts to Russian hackers. This was, however, just a continuation of a long list of politically motivated cyberattacks. The list, that started with the 2007 attacks on Estonia (since incidents before this were either not recorded or did not raise such geo-political interest), also includes:
While various experts and security companies have competed to analyse the malware codes and attack patterns to discover the culprits, and have often pointed fingers at certain hacker groups possibly connected to governments, in most cases governments themselves restrain from officially attributing cyber-attacks to another state. It is unlikely, however, that criminal hacking groups would have the motive and the resources (including the necessary intelligence in some cases) to perform many of the listed attacks, which opens for speculation that governments might be offering support to those hacker groups, at least.
There is evidence, however, from official documents and media coverage that countries are increasingly investing in both defensive and offensive capabilities. Refer to the Digital Watch interactive map, which continuously records reports of cyber-capabilities.
While some cyber-weapons may be used during conflicts to disable critical sectors (such as power or water supplies) and cause panic and suffering for citizens, the examples show that they are more commonly used in peacetime, as a component of so-called hybrid warfare, which allows subtle disruptions of political, economic, and social conditions but does not crossing the threshold of armed attack.
What constitutes an armed attack in cyberspace has not yet been agreed. A group of independent international experts, gathered by NATO, offer suggestions within the second and updated version of the Tallinn Manual (Tallinn Manual 2.0) on what may constitute an act of war in cyberspace and how parties could respond to those (jus ad bellum), as well as how existing legal principles of warfare could apply to cyberspace (jus in bello).
Over the last 10 years, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) has gathered dozens of countries to discuss global norms of state behaviour in cyberspace as well as confidence-building measures (CBMs) and capacity-building needs. In its landmark reports of 2013 and 2015, the UN GGE affirmed that existing international law applies to cyberspace, and agreed a number of particular voluntary and non-binding norms that responsible states should adhere to in peacetime. It also developed a set of CBMs aimed at strengthening communication and cooperation among states in peacetime. In recent years, several regional organisations ‒ namely the Organization for Security and Co-operation in Europe (OSCE), the Association of Southeast Asian Nations (ASEAN) Regional Forum, and the Organization of the American States (OAS) ‒ have also developed their own instruments for co-operation, confidence building, and capacity building, which may help the operationalisation of the UN GGE’s efforts and provide suggestions for its improvements in the future. The study Towards a secure cyberspace via regional co-operation provides an overview of the main diplomatic initiatives, and a comparison of norms, CBMs, and capacity-building proposals.
The study Towards a secure cyberspace via regional co-operation was prepared by DiploFoundation, in partnership with the Geneva Internet Platform (GIP), with the support of the Swiss Federal Department of Foreign Affairs (FDFA), on the occasion of the second meeting of the 2016/2017 United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE), held in Geneva in November 2016. Its intention is to provide an overview of the international dialogue on establishing the norms of state behaviour and CBMs in cyberspace. It offers a comparative analysis of the leading international and regional political documents outlining cyber-norms, confidence-building measures (CBMs) to reduce conflict stemming from the use of ICT, and capacity-building efforts to strengthen co-operation on cybersecurity. Consequently, it discusses how they could further influence each other, and notes several specific directions that further developments could take. The report is available for review and download at: https://www.diplomacy.edu/cybersecurity
The 2017 report of the UN GGE is expected to respond to some of the emerging concerns. Some critics, such as Brandon Valeriano and Allison Pytlak of the Niskanen Center in Washington DC, are of the opinion that the recent cyber-attacks ‒ such as those on the Ukraine power grid and on the US elections ‒ confirm that the UN GGE’s work has had no real impact in practice. Others, like Arun Mohan Sukumar of the Observer Research Foundation in Delhi, India, add to this the fact that its recommendations are not legally binding or codified as international law. On the other hand, Michele Markoff, the US delegate to the UN GGE and Deputy Coordinator for Cyber Issues in the Office of the Coordinator for Cyber Affairs at the US Department of State, stated that the norms apply in peacetime, while Ukraine is in state of conflict; similarly, pre-January 2017 (when it was first classified as critical), the US election system did not fall under the critical infrastructure and the norms therefore could not apply. With the increasing trend of politically motivated attacks that aim to disrupt the social, political, and economic environment of opponents, the UN GGE norms and process may be facing a serious test.
Another question is what the future of the UN GGE should be, and whether its 2017 report should lay out a suggested way forward. There is a general agreement that the work of the UN GGE is very useful, and that it could keep providing strategic guidance in the area; experts related to the OSCE, the OAS, and ASEAN Regional Forum agreed at the November event in Geneva that it would be good that the UN GGE works more directly with these and other regional organisations on the implementation of various norms and CBMs. The question remains, however: What should the future format of deliberations be?
Some countries have expressed concerns over the UN GGE’s limited and rather closed participation (the 2016/2017 UN GGE consists of experts from 25 countries). While this may have helped reach consensus among experts of the lead powers, especially the USA, Russia, and China, with the growing trend of cyber-armament among other countries, it will become important to involve more if not all the countries in some form of dialogue. One option may be the enhancement of the UN GGE to include more members; another may be the creation of a larger standing body involving all interested states; a third may be the creation of some sort of standing mechanisms to follow up on armament and the implementation of norms (similar to nuclear arms non-proliferation mechanisms). This question is closely linked to one about the role of the future UN GGE or other mechanisms: Should it continue working on norms and CBMs? Should it provide more general dialogue on implementation? Or should it become a mechanism for states to act collectively when norms are breached? At a recent event of the Carnegie Endowment for International Peace, Ms Markoff, as the US expert on the UN GGE, expressed the opinion that it would be important to agree on the possible future model before dismantling the UN GGE, and emphasised that the UN GGE should pause the development of new norms and CBMs and turn to making countries implement the existing ones.
In the meantime, countries are putting cyber at the top of their diplomatic agendas, and increasingly turning to bilateral arrangements. Relations vary from bilateral meetings to strategic partnerships (such as between Canada and Israel), from continuous dialogue (such as the EU-Japan cyber-dialogues) to statements and communiqués (such as the joint statement by the prime ministers of Sweden and India, or the joint declaration of the Czech Republic and Israel), from Memorandums of Understanding (such as between the UK and Singapore) to bilateral agreements (such as between Brazil and Russia or between India and Russia). Refer to the Digital Watch interactive map, which continuously records bilateral agreements in ICT and cyber issues.
Private sector stepping in
Interestingly, the corporate sector has also started inviting for political agreement. After it surprised the traditional security community with its own proposal for cyber-norms of state behaviour, Microsoft recently called for a Digital Geneva Convention which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property... it should require that governments assist private sector efforts to detect, contain, respond to and recover from these events, and should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them’.
Microsoft further called for the establishment of an independent organisation, involving both public and private sectors, ‘that can investigate and share publicly the evidence that attributes nation-state attacks to specific countries…’, similar to the role played by the International Atomic Energy Agency in the field of nuclear non-proliferation (note the similarity with one of the proposals on the table for the future of the UN GGE). Some companies are already warning their customers when digital forensics shows that states are behind a cyber-attack. This signals the emergence of a business model responding to clients' demands. Such an independent organisation would, therefore, raise these emerging technical efforts for attribution to a political level, to produce a worldwide name-blame-shame effect.
The business interest in calling for political solutions should not come as surprise. We have already analysed the general context in our Digital politics in 2017 outlook. Specifically, cyber-armament is predominantly based on exploiting vulnerabilities in commercial private-sector products. This has profound consequences across the globe. Exploiting product vulnerabilities endangers billions of users, and potentially makes any device a cyber-weapon itself by turning it into a bot (a hijacked device driven by perpetrators to attack others). Also, exploiting vulnerabilities instead of reporting them to the vendors prevents product upgrades and decreases overall global cybersecurity. Moreover, governments often purchase those exclusive exploiting tools (known as zero-day exploits) on black markets, thereby subsidising criminal hackers. Once the exploits are used, they are discovered by security companies as well as other criminal groups, and are easily transformed into widespread tools for criminal activities targeting millions of users that might have not patched their software.
According to Angela McKay, Director of Cybersecurity Policy and Strategy, Global Security Strategy and Diplomacy Team at Microsoft, threat models for enterprises are distorted, since the private sector now plays multiple roles during cyber-attacks: a possible target of cyber-attacks; the attack vector, thanks to its products being misused; and a responsible entity to clean up the consequences. This raises the costs for the industry, but also dangerously diminishes consumer trust in ICT products and services. Perhaps Paul Nicholas, Senior Director on the Microsoft's Global Security Strategy and Diplomacy Team, expresses it even more bluntly: ‘I am out here building something to deliver commercially through a threat model that I think is reasonable, and yet there is somebody in Moscow or Beijing or Maryland or somewhere working on something that is designed to blow up my product. That blows your product threat model..., no way to anticipate that.’
While the initiative for a global political dialogue by the private sector is certainly welcomed, it is equally important that that private sector looks into its own back yard at how it can make its own products safer, as well as how it could become more responsible (if not liable) for vulnerabilities. Microsoft's second paper on norms proposes norms for the industry; it is certainly a good start, but may need to be followed more proactively by the ICT industry, to increase its credibility in the international dialogue on cybersecurity.
The blog has been originally posted in form of a three-part post on Diplo's website.