An emerging international security policy challenge requires new norms of global governance and state behavior if it is to be met. This challenge occurs in a new environment, one that, unlike our familiar natural environments , is an entirely human creation.
I am referring to the Internet, or cyberspace: a network of computer-based systems. This cyberspace is a novel environment.
The word “cyberspace” has a Canadian origin. It was coined by a Vancouver science fiction writer, William Gibson, some thirty years ago. In his novel Neuromancer, Gibson defined the term as “a consensual hallucination experienced daily by billions…”. This prescient metaphor has since become a household word and the users of the Internet now are estimated to exceed three billion.
Cyberspace is a multi-faceted subject of global public policy. This essay will focus on the international dimension of cyber security: the emerging diplomacy of cyberspace and the prospects for interstate cooperation in this unique realm.
A Changing Context
Before we discuss inter-state relations, there are a few contextual facts to mention. First is the obvious point that the Internet—indeed, cyberspace more broadly—has become central to our way of life. It would be difficult to overstate its importance for the functioning of global society or the high level of dependency on a cyberspace free from threat of deliberate damage or destruction by state actors.
The second fact is that the magnitude and the pattern of Internet use have changed in recent years. Europe and North America, which used to make up the majority of Internet users, have now been eclipsed by the global south. Asia alone now makes up almost half of the world’s Internet users and two thirds of these users now reside in developing countries.
If Asia makes up about half of the global Internet users, it also is the region with the poorest cyber security. According to a recent study by the cyber security firm Mandiant, the median time of a computer system being compromised and the discovery of the attack was 520 days in the Asia-Pacific region—three times the global median time of 146 days.
To put this period in perspective, Mandiant estimates that a competent attacker can probably achieve domain administrator privileges within on average three days of gaining initial access to the system. These privileges enable the attacker to pose as an “insider” using legitimate credentials to blend in with normal user activity. Having established a privileged beachhead within the host system, the intruder can carry out a leisurely reconnaissance of the stored data and select the files to be extracted. Besides the initial exfiltration of data, the attacker can provide for a covert persistent presence on the system to allow re-entry in future.
Computer Exploitation versus Attack
There is another concept that I should introduce here to clarify a crucial difference between two types of cyber operations that are often lumped together under the term “cyber attack.” These are computer network penetration (CNE) and computer network attack (CNA).
The term CNE refers to the covert penetration of a computer system in order to extract information from it, while the term CNA refers to a covert penetration designed to disrupt, damage, or destroy data or systems.
The first action is the purview of intelligence-collecting agencies, whereas the second is the mission of the military. These distinctions become blurred however in the cyber realm, as both CNE and CNA depend on an initial clandestine penetration of a computer and the defender who detects such an intrusion cannot know whether the attacker intends to copy some information or to wreak havoc on the system. Previously the national security threats posed by spying and military attack were entirely different in nature and modus operandi. Think of a bulging file secreted under a trench coat versus an artillery barrage or tank assault. Today the initial stages of these two kinds of offensive action are virtually indistinguishable, raising a myriad of practical problems.
Cyber operations have also blurred the institutional and legal lines between intelligence community collection (Title 50 under US law), which is prohibited from using force, and the military, which is authorized to do so (Title 10). The fact that offensive cyber operations have been developed conjointly by the intelligence agencies and the military, both under a heavy mantle of secrecy, has made it difficult to maintain this functional distinction. The decision of the Obama Administration in 2010 to establish a Cyber Command in the military and then “double-hat” its head, Admiral Michael Rogers, as the chief of the National Security Agency (NSA) has institutionalized this melding of activity and undercut capacity to ensure proper accountability from the two entities.
The Militarization of Cyberspace
While most public attention has been on the malicious activities of cyber criminals, what states are doing in this new realm is of prime importance for the future security of cyberspace. A 2012 study by the UN Institute for Disarmament Research yields some disquieting results. Out of 114 states with some form of national cyber security programs, 47 assign some role to their armed forces. Increasingly there are open references to militaries developing offensive cyber capabilities in addition to cyber defence capabilities. Yet only a handful of states have published military cyber security policies.
Beyond the issue of transparency for state actions, this engagement of the military suggest that the “militarization” of cyberspace is well underway, before there has been any real public debate or decision-making as to whether to permit state-conducted cyber attacks in this new environment.
As in many other national security matters, the US sets the pace for the international community, for others will emulate the postures that the US acquires.
Unlike other domains of military involvement, where the assets and activities are exclusively under the control of the military, separate from civilians, cyberspace and its infrastructure are overwhelmingly privately owned and operated. This complicates any effort to regulate this “militarization” trend, but also underscores the potential damage to civilian interests if they become treated only as collateral damage from offensive cyber operations.
Crossing the Cyber Rubicon
The incidents listed in this table are some of the most prominent offensive cyber operations attributed to state conduct in recent years. In this selection there is a major difference between the Distributed Denial of Service (DDOS) attacks against Estonia and Georgia—which temporarily crashed several governmental websites in those countries, but which did not destroy or distort data—and those that entailed deliberate damage. Such DDOS attacks are essentially disruptive rather than destructive. A hostile act certainly, but not an act of war.
The Israeli cyber operation against Syria was in support of the bombing by the Israeli air force of a covert nuclear facility in Syria. The cyber element here was effective in disabling the functionality of Syrian air defence radars (they displayed blank screens to the operators, thus enabling the attack to proceed undetected) but did not damage or destroy these systems. This type of cyber attack can be viewed as an extension of earlier forms of electronic warfare designed to disrupt or disable an adversary’s communications or surveillance system during military operations.
The “Stuxnet” worm that was directed against the Iranian nuclear program was the first cyber payload that caused the physical destruction of its target (the centrifuges used to enrich uranium) and can be considered the first cyber weapon employed by a state. In June 2012 US officials leaked details of this joint US/Israeli operation code-named “Olympic Games” that was responsible for the “Stuxnet” attack. Ex-CIA chief Michael Hayden compared it to Caesar’s crossing of the Rubicon in terms of its significance for offensive use of cyber down the road.
Just before the official leaks regarding “Stuxnet” but well after private cyber security firms had revealed its existence a new cyber attack named “Flame” was launched against the Iranian Oil Ministry and Oil Company, destroying the hard drives of thousands of computers. It prompted a retaliatory strike by Iranian cyber units against the US-Saudi controlled oil company Aramco that resulted in the destruction of data on some 30,000 computers. The victim had evidently found a way to respond in kind to destructive cyber attacks—and a detrimental precedent had been established.
Importantly, this precedent had been set under a cloak of secrecy absent any form of public scrutiny. Furthermore, as one informed observer has noted, “it was clear, even to those with a glimpse of its inner workings, that no one had thought through the implications of this new kind of weapon and new vision of war”. (Dark Territory, Fred Kaplan)
Responsible State Behavior
States have a long experience in developing common standards to manage their relations, including their conflicts. International security agreements have been concluded to address action in the traditional domains of land, sea, and air. Cyberspace however is a unique domain that raises special concerns. Because conflicts have only recently emerged in this environment, states have been slow to address the problem. The focus has been on developing national cyber security strategies, reflecting the priority attached to domestic issues.
The US was probably the first country to recognize officially the inter-relationship between national and global cyber security. The Obama Administration issued a path-breaking policy statement, International Strategy for Cyber Space in May 2011. It called for the development of a global consensus on ‘norms of responsible state behavior in cyberspace.’ Although the aim was clear, the Obama Administration had trouble devising a diplomatic strategy to realize it. It is now over five years since the International Strategy was announced and the US still has not endorsed any multilateral process to bring it to fruition. The sense of urgency that initially informed the Administration’s strategy has dissipated and the practical problems in advancing the strategy led the Obama administration to put it on a diplomatic back burner. Prominent among these were the revelations, courtesy of Edward Snowden in the summer of 2013, that exposed a massive external and domestic cyber surveillance and intelligence-gathering program being run by the US. To say that these revelations complicated the American appeal to the international community to agree on norms of responsible state behavior would be an understatement.
Sino-Russian Code of Conduct for Information Security
Diplomacy, like nature, abhors a vacuum. The diplomatic void opened up by the Obama Administration’s call in May 2011 for global norms in cyberspace was filled a few months later by China and Russia. These countries, along with Tajikistan and Uzbekistan, to add desirable developing country cover, submitted at the fall 2011 session of the UN General Assembly a proposed Code of Conduct for Information Security.
The proposal was cleverly conceived as a set of politically-binding confidence building measures designed to appeal to states that were not inclined to embrace international legal instruments in this new field. The core of the code was eleven actions, most of which were innocuous, but two of which would be problematic. The first, which called for a ban on “information weapons” and offensive activity, raised definitional issues—what constitutes ‘hostile activities,’ what are ‘information weapons,’ and what would be a proliferation of ‘related technologies’? Similarly, the second action with its assertion of a state’s sovereign right to protect its ‘information space’ was open to varying interpretations: Would critical commentary by an NGO be considered a ‘disturbance’ or ‘sabotage’ of that information space? One need not be a veteran diplomat to recognize the problematic nature of such ambiguous language in an international instrument.
China and Russia have proceeded with caution regarding their initiative, quietly holding consultations, and in January of last year they circulated a revised version of their proposal. As a comparison of the 2011 and 2015 texts reveals, they have largely backed off the arms control aims of the first measure, although the new general formulation (prohibiting “activities which run counter to the task of maintaining international peace and security”) leaves much to interpretation.
The second measure’s modification is minor, essentially replacing “interference” for “disturbance” and “norms and rules” for “laws and regulations.” although the fundamental question of how states would interpret these terms remains. So does the core distinction between the concept of “information space” utilized here and the term “cyberspace” favored by the West. The former term suggests that the content of information conveyed could pose a threat, whereas the latter term is content-neutral with a focus on preserving the integrity of the information systems themselves. It is unclear how the sponsors of the draft Code of Conduct wish to proceed, but the proposal has now been formatted as a draft resolution and China and Russia could decide to submit it to a future session of the UN General Assembly for adoption.
The UN Group of Governmental Experts
Although the US never followed up on its call for global norms and China and Russia have proceeded cautiously with their code of conduct initiative, there has been a form of on-going discussion of this theme at the UN. This has been conducted by a series of UN Groups of Governmental Experts (GGE) composed normally of 15-20 national “experts” that considers new issues and offers recommendations for UN member states. The original mandate of the GGE was to study “existing and potential threats in the sphere of information security and possible cooperative measures to address them, including norms, rules or principles of responsible behaviour of States.” Although the first such GGE in 2004-2005 was unable to agree on a report, subsequent GGEs have issued consensus reports in 2010, 2013 and 2015. All of these reports have acknowledged that states have an interest in preventing conflicts arising from the use of Information and Communication Technology (ICT) and have observed, “international cooperation is essential to reduce risk and enhance security”. On the contentious issue of whether international law was applicable to this new realm, the GGE findings came down in favor of the Western position that it does, but caveated this with references to the possibility of new norms and included a counter-balancing affirmation of the prerogatives of sovereign states in managing ICTs on their territory.
The reports have also suggested a series of confidence-building measures to “increase interstate cooperation, transparency, predictability and stability.” In the latest iteration these have included restraint measures such as the non-targeting of “critical infrastructure” or states’ computer emergency response teams. They have also encouraged more sharing of information on “vulnerabilities and identified harmful hidden functions in ICT products.” These vulnerabilities of course are the very features that states engaged in offensive operations seek to acquire in order to develop cyber payloads to exploit them.
While the GGEs faute de mieux perform a certain function in providing a broadly representative forum under UN auspices for discussing international cyber security norms, their recommendations remain just that in the absence of an official multilateral process to ensure that states codify and endorse them. States seem content to continue with the GGE process. No sooner had the General Assembly received the 2015 GGE report than it authorized another GGE to meet in 2016-17 and report to that fall’s session. For some observers a degree of GGE “fatigue” has set in. There is concern that the GGE pro-cess gives the appearance that the international community is addressing the problem while actual state behavior remains largely unchanged.
Time for a Cyber Peace Initiative?
Against a backdrop of relentless “militarization” of cyberspace it is not sufficient to simply call for the development of global norms. A dedicated diplomatic process is necessary to accomplish this task. States will have to move beyond the initial expressions of interest in such an undertaking and agree on a representative mechanism to negotiate these norms and supporting measures of restraint. Bilateral consultations and arrangements between leading cyber powers, such as those starting to occur after a rocky beginning between China and the United States, can assist in this enterprise, but they are not sufficient.
The global character of cyberspace suggests that the norms to govern it should ideally be global and not particular in nature. A multilateral diplomatic process under UN auspices is the way to moderate state conduct in cyberspace. The priority should be given to negotiating cooperative measures to restrain destructive, offensive cyber operations. The threat to international security posed by certain state cyber actions should be the focus, putting aside for the present the thorny issues of state cyber espionage, which are less amenable to negotiated interstate restrictions.
The language and assumption of cyber war, so pervasive in contemporary discourse, should be rejected. Cyberspace need not be reduced to just another domain for warfare, although many military figures are eager to make a self-fulfilling prophecy to that effect. Inter- national cooperation has effectively demilitarized other special environments in the past: outer space, the seabed, and Antarctica, to name a few. The same status could be accorded to cyberspace.
In order for this to occur a cyber peace lobby must find its voice. Given their huge stake in cyberspace and their strong interest in preserving it for peaceful purposes, it is incumbent on the private sector and civil society to engage their governments and press them to take early and appropriate action in this regard.
_Paul Meyer is a former Ambassador of Canada to the UN and the Conference on Disarmament in Geneva. He is currently an Adjunct Professor of International Studies and a Fellow in International Security at Simon Fraser University as well as a Senior Fellow with The Simons Foundation. A member of Canadian Pugwash, he currently serves as Vice-Chairman of the group.
“Someone has crossed the Rubicon”
- April 2007 — Estonia: Denial of Service Attacks
- Sept. 2007 — Syria: Air Defence Radars Blanked
- Aug. 2008 — Georgia: Denial of Service Attacks
- 2010— “Stuxnet” attack on Iranian centrifuges
- April 2012—-“Flame” attack Iranian oil systems
- August 2012 – “Shamoon” attacks Saudi Aramco