More Responsibility for Cyberspace – But How?
Public and international debates about security and peace in cyberspace and the potential risks of catastrophic cyber conflicts have intensified in recent years. The West has been especially keen to advocate an "open, secure, and peaceful" cyberspace; yet states are preparing for effective cyber defence and have long been actively pursuing intelligence operations in cyberspace. The risk of cyberattacks with fatal consequences is rising because the modern world is becoming increasingly networked and computerized. This trend will accompany the continued push for digitization. Key topics include the Internet of things (IoT) and advanced manufacturing (think 3D printers), as well as the debate around artificial intelligence.
Furthermore, increasingly aggressive forms of cyber operation such as the hack back and cyber offensives are being discussed, prepared, and sometimes even carried out.1 According to the latest threat analysis by the USA, around 30 states possess offensive cyber capabilities, enabling them to penetrate computers in other states, steal sensitive information, manipulate it, and disrupt automated processes. The USA itself has been a major technological trendsetter in this respect.
Organizations like NATO, the OSCE, and the European Union have also elevated cybersecurity to a new priority level. Confidence building measures are being discussed, as are offensive strategies, deterrence, and arms control proposals.
The German Armed Forces have set up a military branch for cyber defence with a total of 13,500 posts in its newly founded Kommando Cyber- und Informationsraum (Cyber and Information Space). On the one hand, its first task is to operate domestically and in countries of deployment as part of active defence so as to draw together and strengthen the use, protection, and operation of the German Armed Forces' IT systems. On the other hand, it also aims to improve and develop the capabilities for reconnaissance and actions in the Cyber- und Informationsraum.
But what does this all mean in a world that is increasingly networked and shaped by digital technologies? What global environment is this development taking place in, and what limiting steps can be taken nationally, EU-wide, and internationally? There are no simple answers, given the rate of change in technology and security policy. The mere creation of institutions like the Cyber-Abwehrzentrum (Cyber Defence Centre) and a rapid response force by the German Federal Office for Information Security will not be answer enough. If soldiers are to operate in cyberspace, then clear definitions, standards, and rules of behaviour will have to be created to uphold the obligations of international law and prevent a digital arms race. States will also have to lay down appropriate standards and principles to prevent the Internet from becoming even more militarized. So it is becoming increasingly urgent for foreign and peace policymakers to find consistent strategies as a precaution against threats, to distribute resources meaningfully, and to create sound defensive concepts. And at an international level, the EU and Germany will have to position themselves more rigorously in the face of stiffening competition between the USA, China, and Russia.
Fundamentals of conflict in cyberspace
The temporal and spatial limits of today's warfare are blurring. The Internet itself knows no territorial boundaries. Secret operations, hybrid warfare, and propaganda war are common buzz phrases in this context. The inter-agency Cyber Security Strategy for Germany in 2016 pointedly declares: "Internal and external security in cyberspace can no longer be clearly delimited."2 This insight is neither new nor especially expedient. But it does pose new questions about the responsibility, jurisdiction, and potential efficiency measures of the agencies involved (Federal Ministries of the Interior and Defence and Federal Foreign Office). None of this has an easy answer because many factors in the "brave new cyberworld" remain vague, from the assessment of threats and matters of definition to the effective, competent preparation of appropriate and effective active and passive countermeasures. And the international debate faces numerous obstacles that cannot be circumvented.
Cyberwar is a term often used but almost impossible to define clearly. There is not yet an internationally accepted definition. The current spectrum of cyberattacks is broad and fluid.3 It ranges from DDoS attacks, data theft, reconnaissance, espionage, and sabotage (Stuxnet), all the way to potentially active warfare.
Military and intelligence services are overcoming technical barriers and are already penetrating the computer systems of other states. Their motives are many: they may be psychological or to prepare for further acts of aggression ("preparing the battlefield"), but they may also aim to weaken an opponent. Such attacks can target not only military facilities, but also industrial ones (oil production, energy supply, financial systems), which means critical civil infrastructure in the broadest sense. Players' motives and capabilities can vary greatly. What is key is that today's software and hardware development leaves many vulnerabilities open, allowing security barriers to be overcome.
Cyberattacks may be part of a comprehensive operation and may include military components. Israel, for instance, bombed an incomplete nuclear reactor in Syria after its air defences (i.e. radar and defence missiles) had been electronically disabled. Estonian government, bank, and media websites were blocked in 2007; a Russian youth organization loyal to the Kremlin later declared its responsibility for the attack. Russia probably coordinated cyber operations along with conventional attacks against Georgia in 2008. President Obama announced in 2016 that cyber operations were being used in the offensive against IS. There are other examples. The Stuxnet worm, which was used against Iranian centrifuges, demonstrates the traits of a cyberweapon. It included a carrier with a "payload" whose modular structure allowed it to be used against different targets. The effects of such disruptive malware are hard to gauge. The NotPetya malware was used against the Ukraine by a Russian hacker group, but seems to have accidentally hit the shipping company Maersk, which had to shut down operations briefly. Other examples include the ransomware WannaCry and Bad Rabbit. These activities cause considerable economic and psychological damage, but are not considered direct acts of war.
An increasing number of cyberattacks are being used in today's conflict configurations. Russian hackers probably succeeded in deactivating a high voltage facility near Kiev (Operation Crash Override) in 2016. The 2014 attacks on Sony Pictures were classed as "acts of war" on the part of North Korea by the Obama administration, but there was no military response. Typical backlash to date has included public denouncement, sanctions, and the expulsion of diplomats, but no actual "kinetic" acts of war. This also shows that ultimately, each state alone will decide for itself whether an act of war has taken place.
Progress would be made if the UN Security Council were to develop a clear set of regulations based on the principles of international humanitarian law. Cyberspace has so far been a domain of asymmetrical political warfare, combined with the diplomacy of coercive measures (such as sanctions and embargos). There are also numerous secret Internet operations that might escalate, but have not yet reached a conventional war threshold. But that could change. It should also be stated that cyberweapons can proliferate and be stolen by other states (example: Eternal Blue).
"Militarization of cyberspace" through competition between states?
The US government's worldwide threat assessment places cyberthreats on page one of global dangers, citing Russia, China, North Korea, terrorists, and criminals as players. The US analysis goes on: "Many countries view cyber capabilities as a viable tool for projecting their influence and will continue developing cyber capabilities."4 Cyber operations against the North Korean missile programme in summer 2017 underscored the USA's aspiration and willingness to take military action in cyberspace - even if their actions did not lead to the desired result in that instance. So far there has been no escalation and the impact has also been limited. But that need not always remain the case. A future war combined with massive cyberattacks is within the realm of possibility.
Strategic documents published by the Trump administration have called the "struggle for power between the USA, Russia, and China" a paradigm for the 21st century, which is why the USA's cyber policy speaks a more aggressive language than it did under Obama. It has been bolstered by interviews with security advisor John Bolton and the language of a vision statement issued by US Cyber Command entitled "Achieve and Maintain Cyberspace Superiority."5 This calls for "persistent action" to maintain the USA's cyber superiority. Offensive preventative action has thus been declared the norm. This is reflected also against the background of reviving competition in the National Defense Strategy (2018) and National Security Strategy (2017). According to the US military's joint publication on Cyberspace Operations dated June 8, 2018, offensive cyber operations aim to "project power in and through foreign cyberspace."6 In the new 2018 DoD Cyber Strategy and Cyber Posture Review, one of the central themes is "using cyberspace to amplify military lethality and effectiveness."7 A study by the Cato Institute concludes from this: "Cyberspace became a domain for soldiers, not just networks of spies."8
Russia uses the prefix "information" instead of "cyber," and published a doctrine of "Information Security" itself in 2016.9 They are especially concerned about other states destabilizing them through information and psychological influence. Furthermore, their term "information sphere" places much more emphasis on actual information disseminated through the Internet. This means that bans create the possibility of increased censorship in the country. At the same time, Russia wishes to set up its own, easily controllable version of the Internet. Any new cyber doctrine responding to the latest US doctrine is sure to contain more aggressive elements, not least because Russia is strongly suspected by the USA of intervening in the 2016 US presidential elections by means of cyber operations.
China also avoids the term "cyber" and speaks instead of "information threats." It has been carrying out cyberespionage operations for decades, especially against the USA.10 One element of this is the theft of secret military information, another is the theft of business information (patents and so on). At a meeting between presidents Obama and Xi Jinping in 2015, they agreed on a kind of moratorium, and Chinese attacks did indeed decline. This shows that bilateral agreements can work. But they are unlikely to be able to prevent future digital armament, especially since various other states are preparing themselves for defensive and offensive operations in cyberspace.
Potential peace-consolidating activities for cyberspace - national and international
The international community has been discussing international campaigns, rules, and instruments to prevent a burgeoning digital arms race and attenuate the gradual militarization of the Internet, especially since the Stuxnet incidents in 2010. This poses many new questions. How can we be sure that cyber operations will not lead to real escalation and even acts of war? How can the various players - i.e. states, industry, and civil society - work together to keep the Internet "uniform, secure, and peaceful?" Given the complexity, size, and laws of cyberspace, can principles and rules be set up efficiently and verifiably to prevent catastrophic cyber activities? In contrast to conventional arms control acquis, cyberspace is open to anybody, fast-growing, technologically fast-transforming, and driven primarily by private business interests. So the inclusion of civil society, industry, and business is essential to any future regulation.
In cyberspace, "The best defence is a good defence."11 The past ten years have seen considerable efforts at various levels to establish and implement shared international rules. The Tallinn Manuals (Vol. I and Vol. II) set out rules under international law in the NATO context that address numerous legal questions about the applicability of international law. At a national level, governments are required to protect their own digital structures and make them resilient as part of their precautions against catastrophe and war. This includes raising user awareness, effective early warning systems, and vulnerability analysis, "attribution scanning," and more resilient network structures. Arms export control also has to be involved, since that is the only way to prevent dangerous malware falling into the hands of hostile states.12
Furthermore, decision makers have to possess the technological expertise needed to make the right judgements in the event of a crisis. Because cybersecurity is an inter-agency task in peacetime and war, there should be more exchange of personnel between federal authorities as well as coordinated training activities which boost "inter-agency resilience." There is also an urgent need for a greater understanding of new technological developments like artificial intelligence. This will necessitate close collaboration between authorities and industry and academics. Standardized end-to-end encryption for communication would be one important step.
More protection and restraint in the event of offensive action are an important prerequisite in maintaining a freely accessible cyberspace. Analyses show that these objectives are dependent upon a state's security policy. Increasingly aggressive competition between the USA, China, and Russia demands a clear position on the part of the European Union. Medium-sized powers like Australia, Germany, and Canada need to develop appropriate cyber rules to establish a "peaceful and stable cybersphere" in the face of states like the USA, Russia, and China. Internationally, important conclusions and concrete proposals for confidence building measures in cyberspace have been drawn up in working groups at a UN level (UN Group of Governmental Experts) and among regional organizations like the OSCE and ASEAN. These include, for example, mutual duties to inform in the event of cyberattacks and when establishing cyber doctrines, and a ban on attacking critical infrastructure.13 But so far, leading states have lacked the will to pick up on these ideas, implement them credibly, or develop them further in international discourse. Genuine transparency with regard to offensive operative potential, cyber doctrines, and the function of the institutions involved would be a step in the right direction. This would require a shared understanding of key terms like cyberattack and cyberweapon, as well as their harmful dimensions. These things, however, are only vaguely defined, and are therefore open to all kinds of interpretation and future use. States need to develop a shared foundation. A joint glossary sponsored by the UN would be a welcome first step.
The problem of attribution in cyberspace appears virtually insoluble, yet forensic standards and facilities will have to be developed that are capable of investigating cyber incidents.14 Things can be learned in this respect from the transparency and verification rules of established arms control (such as the International Atomic Energy Agency, Organisation for the Prohibition of Chemical Weapons, Comprehensive Nuclear-Test-Ban Treaty Organization).
Soldiers need to be trained so that they are able to apply the principles of international humanitarian law, even in cyberspace conflicts (especially proportionality, the need to discriminate, and military necessity). Joint exercises between friendly states could help to gather experience and surmount crises together.
Companies like Microsoft ("Digital Geneva Convention") and Siemens ("Charter of Trust") have drawn up certain proposals and principles aimed at positively guiding the behaviour of companies and individual users towards a "stable and peaceful" Internet. The non-profit organization Access Now campaigns worldwide for the protection of users' digital rights, and offers help whenever users are attacked or spied on. The "Paris Call for Trust and Security in Cyberspace" initiated by President Macron has found many supporters, and advocates adherence to fundamental principles in this sphere.15 This will certainly help to build awareness and responsibility in important user groups, but is hardly likely to reach difficult state players in the intelligence services and military organizations of some countries.
In the medium term, transparency and arms control regulations will be needed if demonstrable acts of war using disruptive cyber tools become a possibility. It seems unlikely that today's arms control architecture could be translated straight into a ban on cyberweapons, since cyberspace is extremely difficult to control, cyberweapons are intangible, and they have different harmful outcomes.16 And yet the aim of maintaining an "open, peaceful, freely accessible, stable, and secure" cyberspace is in the interests of the world's states. Much can be learned from decades of development in treaty-bound arms control regulations when it comes to limiting dangerous attack vectors, avoiding catastrophic harmful effects, and preventing uncontrolled escalation.
In the longer term, there is also the question of what we understand by the lasting cyber peace which many players are repeatedly calling for. Scott J. Shackelford writes about this: "Cyber peace is not the absence of attacks or exploitations, an idea that could be called negative cyber peace. Rather, it is a network of multilevel regimes working together to promote global, just, and sustainable cybersecurity by clarifying norms for companies and countries alike to help reduce the risk of conflict, crime, and espionage in cyberspace to levels comparable to other business and national security risks."17 Interestingly, this helpful definition lacks the term war. There is still much work to do.
My thanks to Jantje Silomon, Oxford and Hamburg, for her in-depth comments and sources.
1 See for example the US Congress Cyber Defense Certainty Act, tabled by Tom Graves in March with an amendment. www.congress.gov/bill/115th-congress/house-bill/4036 (accessed April 26, 2019).
2 Federal Ministry of the Interior (2016): Cyber-Sicherheitsstrategie für Deutschland 2016 [Cyber Security Strategy for Germany in 2016]. Berlin, p. 5. www.bmi.bund.de/cybersicherheitsstrategie/BMI_CyberSicherheitsStrategie.pdf (accessed April 26, 2019).
3 According to an analysis by the Cato Institute, there were 272 documented cyber operations between 2000 and 2016, of which 32.7% were disruptive, 54.4% espionage, and 12.89% subversive. See Maness, Ryan C./ Valeriano, Brandon/Jensen, Benjamin (2017): "The Dyadic Cyber Incident and Dispute Dataset Version 1.1."
4 Coats, Daniel R. (2017): "Worldwide Threat Assessment of the US Intelligence Community." Senate Select Committee on Intelligence, May 11, 2017, p. 1. www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf (accessed April 26, 2019).
5 U.S. Cyber Command (2018): "Achieve and Maintain Cyberspace Superiority. Command Vision for US Cyber Command." April 2018. www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf (accessed April 26, 2019).
6 U.S. Joint Chiefs of Staff (2018): "Cyberspace Operations." Joint Publication 3-12, June 8, 2018, p. II-5. www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12.pdf (accessed April 26, 2019).
7 U.S. Department of Defense (2018): "Fact Sheet: 2018 DoD Cyber Strategy and Cyber Posture Review. Sharpening our Competitive Edge in Cyberspace." media.defense.gov/2018/Sep/18/2002041659/-1/-1/1/Factsheet_for_Strategy_and_CPR_FINAL.pdf (accessed April 26, 2019).
8 Valeriano, Brandon/Jensen, Benjamin (2019): "The Myth of the Cyber Offense. The Case for Restraint." Cato Institute, Policy Analysis No. 862, January 15, 2019, p. 4. object.cato.org/sites/cato.org/files/pubs/pdf/pa862.pdf (accessed April 26, 2019).
9 "Information Security Doctrine of the Russian Federation." www.itu.int/en/ITU-D/Cybersecurity/Documents/National_Strategies_Repository/Russia_2000.pdf (accessed April 26, 2019).
10 Inkster, Nigel (2013): "Chinese Intelligence in the Cyber Age." In: Survival 55 (1), February-March 2013, pp. 45-65.
11 Valeriano, Brandon/Jensen, Benjamin (2019): "The Myth of the Cyber Offense. The Case for Restraint." Cato Institute, Policy Analysis No. 862, January 15, 2019, p. 10. object.cato.org/sites/cato.org/files/pubs/pdf/pa862.pdf (accessed April 26, 2019).
12 Granick, Jennifer (2014): "Changes to Export Control Arrangement Apply to Computer Exploits and More." The Center for Internet and Society, January 15, 2014. cyberlaw.stanford.edu/publications/changes-export-control-arrangement-apply-computer-exploits-and-more (accessed April 26, 2019).
13 See Neuneck, Götz (2014): "Cyberwarfare: Hype or New Threat?" In: Ethics and Armed Forces 2014/2, pp. 26-31. www.ethikundmilitaer.de/en/full-issues/20142-cyberwar/neuneck-cyberwarfare-hype-or-new-threat/ and the entire edition themed on cyberwar (accessed April 26, 2019).
14 The NGO ICT4Peace has proposed a network organization for stateless attribution. See: "Trust and Attribution in Cyberspace: An ICT4Peace proposal for an independent network of organisations engaging in attribution peer-review." December 6, 2018. ict4peace.org/activities/trust-and-attribution-in-cyberspace-an-ict4peace-proposal-for-an-independent-network-of-organisations-engaging-in-attribution-peer-review/ (accessed April 26, 2019).
15 www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in (accessed April 26, 2019).
16 See for example Tikk, Eneken (2017): "Cyber: Arms Control without Arms?" In: Koivula, Tommi/Simonen, Katariina (ed.): Arms Control in Europe: Regimes, Trends and Threats. Helsinki, pp. 151-187.
17 Shackelford, Scott J. (2014): Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace. Cambridge, p. 365.
Götz Neuneck is a physicist and gained a PhD in mathematics at the University of Hamburg to become a Dr. rer. nat (doctor of natural sciences). He worked on strategic issues, military technology, and arms control with the Afheldt working group at the Max Planck Society in Starnberg from 1984 to 1987. He is the deputy director of the Institute for Peace Research and Security Policy at the University of Hamburg (IFSH) and head of the Arms Control and Emerging Technologies research group. He chairs the Physics and Disarmament working group at the German Physical Society (DPG) and belongs to the council of the Pugwash Conferences on Science and World Affairs.
Risky War Games: Why We Can Only Lose in the Cyberwar
"Initial Successes in Cyber Diplomacy Are Already Visible"
Cyberwar: the Digital Front - an Attack on Peace and Democracy?
Ethik und Militär 02/2014