"Initial Successes in Cyber Diplomacy are already visible"
The participating States of the OSCE have adopted a number of confidence building measures concerning the realm of cyber security some years ago - in 2013 and most recently in 2016. But lately, there has been a lot of talk about cyber attacks originating in participating States of the OSCE. Not a few even talk about a cyber war. Is cyber diplomacy failing?
No! I quite understand the critical approach to the term "cyber diplomacy," because the incidents that you hear about are very problematic. Nevertheless, in my point of view they show very clearly that we need more cyber diplomacy and not that it has failed. Especially when regarding the fact that cyber attacks take place on a technical level, it is vitally important to have contacts and communication channels at the political level. These are simply offered by the OSCE. Let me point out only three of the 2013 and 2016 Confidence Building Measures (CBMs) to illustrate this more in detail. According to CBM 3, all participating States declare to hold consultations. It may sound profane, but apart from technical assessments, it is crucial to have political talks together in order not to aggravate tensions or conflicts. Therefore, the dialogue shown here is very important. Based on this, it becomes more concrete in CBM 8. Relying on this, a Cyber Point-of-Contact network has been established, and today 54 states have nominated their national cyber officials. This network provides fast state-to-state communication to respond swiftly and politically to any cyber or information and communication technology incidents affecting one or more OSCE participating States. By the way, the Federal Foreign Office is providing financial support for the further expansion of this contact point network in accordance with CBM 8.
An important complement to the implementation of these policy consultations is behind CBM 13 (Use of Secure and Authorized Communication Channels). It intends to operate the existing OSCE Communication Network, which has long been successfully used for information exchange in conventional arms control, in the concern of cyber security. This network is physically made up of extra secured terminals for the exchange of sensitive data and information between the OSCE participating States. The Forum for Security Co-operation has agreed to co-use. Now the practical arrangement is worked out.
All in all, it can be seen that the OSCE is working on improving, deepening and implementing international cyber diplomacy, and that initial successes are already visible here.
However, the agreed-on CBMs for transparency, cooperation and stability are all voluntary and therefore legally non-binding. Is this sufficient to ensure that there will be no conflict in cyberspace that can develop into a conventional war?
I think on this point it is worth answering at some length: The OSCE is a regional security organization according to Chapter VIII of the UN Charter. Its purpose is complementary to the UN's aim to settle disputes and conflicts
peacefully. For some time, the OSCE has identified so-called transnational threats, such as transnational terrorism or organized crime, and promotes dialogue and cooperation at a regional level to counter these threats. Cyber security has been added in 2012 as a newer form of transnational threats. Essentially, it is about preventing tensions or crises between states from escalating into conflict at the regional level through confidence building. This danger is very concrete in the context of cyber attacks. If a state in political tensions with another is attacked in cyberspace, the lacking or imprecise attribution of the authorship of the attack often creates an acute danger of escalation, as the attack may be prematurely blamed on that other state. This should be prevented by building confidence, transparency and communication between OSCE participating States.
As far as the question of voluntariness is concerned, one might have to say that it is the essence to a confidence-building measure that it is freely agreed by both parties. In that sense, it bears some importance that the OSCE Ministerial Council, that is concretely all 57 foreign ministers of the participating States, unanimously approved the decision of the Permanent Council 1202 on cyber CBMs and encouraged all participating States to further the practical implementation of the CBMs. This is what happened at the OSCE Ministerial Council 2016 - incidentally in Hamburg under German Presidency.
The voluntary nature is therefore not a shortcoming, but extremely important to build and to deepen trust.
Many experts doubt that effective arms control in cyberspace is even possible. It seems just too difficult to count computer worms and software vulnerabilities like tanks and rockets. How is this problem discussed in the OSCE?
Admittedly, that is quite correct and describes the problem of the cybersphere pretty well. It is all the more important to seek ways to prevent conflict in the cyberspace, and to this purpose the experience of conventional arms control can only be useful. Arms control should not only be seen as a legal framework "carved in stone" and should not only be judged by its effectiveness. Rather, it should be understood as a perpetual process in which different parties approach each other, exchange ideas, and at best ultimately cooperate. If we look at the development of classical arms control in the OSCE area, it has come about slowly. Some time ago, in the frame of the CSCE, the first step was laid in which the individual states provided transparency. Thus, the mutual exchange of data, intentions and plans has gradually created a basis of trust; sometimes also backed by a verification regime. Building on this, it was possible to negotiate and agree on concrete measures and mechanisms for arms control and even disarmament. Something similar is being attempted in cyber in the OSCE, which is a relatively new field in security policy. OSCE participating States regularly provide information on national cyber developments, e.g. new cyber strategies, legislation and activities. Even at the risk of repeating myself: on the political level it is of paramount importance to talk to each other in order to build trust and, based on that, to agree on concrete measures in the first place.
Currently, the option of state-run Hackbacks is openly discussed in Germany. Can you assess whether this option is based on the "exchange of good practice" under CBM 15? Have participating States even described their experience in active cyber-defense within the OSCE?
Certainly not. Concrete (technical) security remains the responsibility and task of the individual states, which have suitable instruments and facilities - mostly in the area of interior ministries and security authorities -, which are surely internationally networked at their level. In any case, there is no joint planning or coordination or exchange on active (practical) cyber-defense in the OSCE. The CBM 15 aims to better protect the vulnerabilities of states, in particular the protection of critical infrastructures. To do this, among others the exchange of information, experience and good practice, as well as a shared understanding of the gravity of cyber incidents should help.
When is a legally binding cyber-weapons limitation or better prohibition contract to be expected?
Well, you are asking a bit beyond the scope of the OSCE. The lead in such a process would be with the UN. For cyber, the UN Secretary-General since 2004 has convened so-called Governmental Group of Experts (GGE) inter alia for the development of cyber norms. The last GGE even ran under German presidency. Two UN high-level committees will soon start working in New York: a GGE, consisting of 25 high-ranking cyber experts, and an open-ended working group (OEWG) to which all UN member states can contribute. The Federal Republic of Germany will participate very actively in both committees. The intention to create international standards for this new challenge can be recognized, but it is also known that this is "a thick board to drill" that will take a lot of time. What is new is that the GGE plans to get to know the experiences and work of regional security organizations at an early stage in the process. So maybe this is an OSCE contribution to the emergence of international norms. By the way, the GGE will first speak with the OSCE, the appointments have already been agreed. The OSCE's work on confidence-building in cyberspace is internationally seen as a role-model anyway: The ASEAN Regional Forum started developing Cyber CBMS for Southeast Asia based on the OSCE's Permanent Council Decision 1202 in 2018.
So you see, and that is my credo, international security cooperation needs time and, above all, mutual trust, as well as organizations like the OSCE. This is an important basis for a peaceful international order, whether "analogue" or digital.
Dear Captain, thank you very much for this interview!
Captain (GE Navy) Matthias Friese Politico-military Adviser, Permanent Mission of Germany to the OSCE, i.a. responsible for cyber. Multiple assignments in the field of naval aviation, including commanding officer. Admiral Staff Officer Course. Desk Officer in the military policy department and the office of the Parliamentary State Secretary in the Ministry of Defense as well as in the planning staff of the Minister of Defense. Director of Studies at the Federal Academy for Security Policy. Deputy Commander Territorial Command Bavaria/Garrison Commander Munich. Publications on security policy, Afghanistan and navy (naval history).
More Responsability for Cyberspace - But How?
Cyberwar: the Digital Front - an Attack on Freedom and Democracy?
Ethik und Militär 02/2014