How can conflicts within cybersecurity be mediated and resolved? Latha Reddy, Former Deputy NSA GOI & Co-Chair of the Global Commission on the Stability of Cyberspace, Aaron Shull, CEO, CIGI Canada and Richard Wilcox, Senior Advisor CHD, Geneva deliberated on this topic during the Synergia Conclave-2019.
Cyber conflict like international terrorism, international crime and international narcotics trade, thrives in trans-national space, where national laws do not hold jurisdiction. In September 2019, France issued a statement calling for international law for cyber-space. A few weeks earlier the Attorney General of UK also reiterated the need for an International Law for Cyber Space, at Chatham House.
There is a general consensus among world leaders and relevant stakeholders that cybersecurity ought to be one of the main priorities of the 21stcentury.
Latha Reddy, former Deputy NSA & Co-Chair of the Global Commission on the Stability of Cyberspace, spoke about the work conducted by her organization when it comes to creating stability within cyberspace. Calling it a truly global dilemma, she said that there was a need for multi-stakeholders to come together to fix cyber problems. Solutions are important, especially when it comes to criticalities like protecting electoral systems infrastructure in all countries and not just in democratic nations.
While management of cyberspace may perplex us at the moment, but these are exciting times, and the solution is there to be sought. To facilitate this, a collaborative approach is required, and more stakeholders should come forward, and more groups to be formed to address key challenges.
Norms for the use of cyberspace must come up and should be adhered, voluntarily to begin with and later compulsorily. It is not only governments who are part of the process but also non-sovereign entities. During the Paris Call for Trust and Security in Cyberspaceorganised by UNESCO Internet Governance Forum (IGF) last year, a high-level declaration in favour of formulating principles for cyberspace security was made which was supported by 564 official supporters: 67 States, 139 international and civil society organizations, and 358 entities of the private sector.
The proposed norms look at protecting the internet, which is the core of the cyberinfrastructure. Emphasis will by upon security of electoral systems. The Westphalian concept of state sovereignty will be maintained, and governments will remain supreme despite the coming together of all other elements. There is a call for cyber hygiene which implies that at the manufacturing stage, there will be no tampering with the devices to plant malware etc. The norms will take into account the role of non-state actors whose vectors will be 5G.
Ending on an optimistic note, Reddy said, “I believe in solutions rather than problems. Cyber is a wonderful world that we can fix and let’s find a way to fix it.”
Aaron Shull, CEO, CIGI Canada, highlighted the fact that most governments have not been able to keep pace with the technological development in the cyber world and do not comprehend its complexities to frame appropriate policies. Cyberspace does not respect bureaucratic silos and cuts across all types of boundaries.
Political mandates are short term, whereas cyberspace issue is complex and generational. No one recognizes the threat to free and fair electoral processes from cyber interventions. Foreign adversaries- state and non-state- to produce a hybrid effect can operate in these grey zones and threaten entire institutions- diplomatic, informational, military and cyber- and there is no adequate structure in place within governments that can address it.
Even the economy of today is fundamentally different from the past with tangible sectors like real estate etc. being dominated by intangibles like IT. FB and other social media platforms are big businesses which lie entirely in the cyberspace.
International charters need to be re-looked at. For example, Article 24 of UN Charter which describes the use of force has no mention of the use of cyberweapons to cause destruction, say placing a logic bomb in a sensitive national infrastructure system to cause its disruption. This is when it is common knowledge that all countries already possess the offensive cyber capability, yet no international law exists to regulate its usage.
We are entering a risky world as nations rush to create cyber arsenal. There is a need for robust rules that can enhance stability. However, divergent interests act as stumbling blocks and solution lies in states putting their short term strategic interests behind in favour of global stability. He wondered if the solution lay in changing the way the conversation took place within world governments
Dr Richard Wilcox, Special Advisor, Cyberconflict Diplomacy, HD Centre Geneva espoused the role of private players like his company to resolve cyber conflicts. He described the strategies that can be adopted.
Cyber tools have become the weapon of the first choice as it is impossible for anyone in the near term to defend against cyber-attacks. There is an arms race when it comes to cyber arms, and this could prove to be another challenge. He wondered about how nations can defend themselves. He asked rather than settling for mutually assured destruction, can nations settle for mutual vulnerability. He wondered what deterrence would be like with these new challenges.
Explaining the logic as to why states and non-state entities are engaging in cyber conflicts, he listed the characteristics of cyber weapons which make them the ideal choice-targets critical points and can spill over private domains.
Providing an answer to the question why one should attempt to mediate on cyberconflict specifically, he explained that conflict is the continuation of politics by other means to paraphrase Clausewitz and attempts to mediate for peace need to address the political causes. Cyberconflict extended the continuation of politics by other means into a new technical domain. Nothing fundamentally different for mediators thus far. So why a specific focus on cyber instead of sticking with traditional political mediation agendas? In fact, in the security community, the extension of conflict into cyberspace was at first seen as a good thing as it gives policymakers engaged in conflict greater menu of non-lethal and hence less escalatory weapons. But the conduct of that continuation of politics can take on its own dynamic. And cyberweapons have a unique dynamic that requires a special kind of mediation.
Three key conflict strategies require or at least can benefit from communication (and hence mediation) at different levels. First is Defense where you have a shield, and there is little that opponent can do to you. So, there is not much need to talk or negotiate. Second is Deterrence. You issue clear and credible threats. Need to make sure opponents get it that you’re done talking and will retaliate strongly. The third is the Tit-for-tat. “You hit me- I hit you”. To keep this strategy from escalating, near-constant communication in some channel is necessary to prevent endless escalation. The opponent needs to understand what a retaliation was meant to end the exchange and what is an escalation requiring yet another response.
Cyber falls into the third category. Defence alone isn’t promising (at least at present). Too many gradations and obfuscations to make deterrence threats work. So, you’re stuck with tit-for-tat strategies that require the most communication, which increases the utility and need for talking while parties may find it difficult to talk. That’s something discreet; private third-party mediators can help with.
Cyber in any politically adversarial setting also creates constant activity. To be able to use cyberweapons needs deep preparation and constant search for vulnerabilities and a persistent presence. That in itself is provocative and can benefit from communication to prevent unintended escalation.
Non-state entities can be hired to enable such channels of communication, connect counterparts to build confidence in the ability to communicate and establish CERT contacts. Public-private partnerships need to be a key part of these channels. Much expertise resides in the private sector in privately-owned infrastructure and systems, the private sector often is (inadvertently) targeted, and has key expertise to contribute.
The substance, the content of these communications is where what private companies do intersect with the international efforts to establish and promote norms of acceptable behaviour in cyber. While it may be said that norms are not the end by themselves, they do create a basis for understanding what an escalation is and what isn’t.
- Conflicts can be heightened online by what is known as the ‘disinhibition effect’. People say and do things in the cyberspace that they wouldn’t ordinarily say or do when they meet in person. The disinhibition effect is caused primarily by anonymity, invisibility and delayed reaction.
- Information and Communication Technology (ICT) presents one of the most formidable challenges to global security. It is predicted that the next major international crisis could be due to a state or terrorist group weaponizing ICTs to destroy critical infrastructure or military logistics network.
- The proliferation of asymmetric warfare has increased states use of ICTs, which mandates the adherence to an international code of cyber conduct. The near-total digitization of the financial markets makes the global economy more vulnerable to cyber-attacks not only from states but also from criminal organizations and other non-state actors.
- The total cost of the Wanna Cry attacks was estimated to be US$ 1 billion. A major cyber-attack on a cloud services provider such as Amazon could trigger economic losses of up to US$ 50 billion The Russian Federal Security Service (FSB) estimates that cyber-attacks already cost the global economy US$ 300 billion.
- It will be important to create an international cyber court that deals with government level cyber conflicts that could be recognized and respected by all parties. It will equally be important to restrict the use of autonomous cyber weapons like the one conceived by the US Project Monstermind.
- The UN GEE experts form must be reconvened to ensure consensus on the 2017 report and be given a stronger official status.