Making states responsible for their activities in cyberspace

Cyberwar continues to serve as a hot topic in many of the discussions on the future of war. Yet despite the persistent debate about warfare on the internet, it is questionable whether cyberwar has actually taken place in the past or is likely to occur in future. Ever since states engaged in international security policy, they have been caught in the security dilemma. That dilemma has triggered arms races and repeatedly led to military confrontation. Since World War II, the international community has made significant progress towards mitigating the security dilemma by establishing arms control treaties, trust-building mechanisms and a dense network of cooperation. The rise of offensive cyber operations threatens to tear those mechanisms down. The only way to prevent a renaissance of the security dilemma is to build norms and institutions that promote state responsibility and focus on “deterrence by resilience.”

Without question, both civilian and military actors are engaged in a wide variety of offensive and defensive operations on the internet. However, the scope and scale of such operations is far more akin to espionage or covert operations and is below the threshold of armed conflict, let alone warfare. “Sabotage, espionage, and subversion” are more useful terms to describe the various forms of cyber operations.

Moreover, in debates about cyber conflict, it is frequently assumed that a wide variety of non-state actors are capable of engaging in extensive cyber conflict. While this may technically be possible, the fact is that the overwhelming majority of advanced offensive cyber operations is conducted by state actors or their direct proxies; debates over cyber terrorism bear little resemblance to the practical realities of everyday cyber attacks.

The interconnectedness of critical infrastructure, along with the burgeoning internet of things, forces policymakers to consider the question: How do we defend, protect and create resilient critical infrastructures? How should we counter attempts to steal crucial information? Digital technologies are so deeply enmeshed with all levels of modern life that it is difficult for society to function without them. Precisely because of this, governments have begun to develop their strategic posture on how to respond.

There are two main ways to respond strategically to cyber threats: deterrence by resilience and deterrence by retaliation. Deterrence by resilience involves hardening key existing infrastructure and improving the overall defensive posture, thus making attacks far more difficult. Measures to achieve these goals include the establishment of effective institutional response mechanisms to cyber attacks, stronger coordination between existing responders and ensuring that, in particular, key public ITinfrastructure is less vulnerable to cyber attacks. On the other hand, deterrence by retaliation involves an offensive response to cyber attacks, making sure they are not repeated.

It is highly questionable whether deterrence by retaliation is an effective counterstrategy. The difficulty of attribution presents a basic problem of retaliation. Lawrence Freedman, one of the leading academics on strategy and security policy, argues that “what we need to think about is not so much how to make deterrence work, but about what sorts of behavior we now wish to proscribe.” Making such a strategy effective would require both far higher levels of attribution than is currently the case as well as a willingness of states to constrain malicious attackers.

Moreover, deterrence by retaliation comes with considerable legal and political risks. Many leading scholars have warned that the build-up of offensive capabilities only repeats the mistakes of the past. It fosters mistrust, leads to a new arms race and might even lead to the internet’s disintegration as states increasingly assert their sovereignty. Moreover, offensive operations risk degrading a common pool resource: trust in the stability and integrity of the internet. By turning the internet into a persistently escalating cyberspace battleground, it becomes less useful and trustworthy for everyone who uses it. And such operations can go badly wrong, for instance when US cyber operatives accidently caused an extensive internet outage in Syria in 2012.

By contrast, deterrence by resilience involves improving the defensive security of critical infrastructure. Hardening involves none of the risks of offensive operations and comes with the added bonus of increasing the level of resilience against other forms of attacks, e.g. cyber crime. However, there are persistent claims by security experts that resilience alone is insufficient to prevent cyber attacks. Some argue that you need not only a shield but also a sword to defend yourself. Others would recommend buying a better shield instead of a sword.

Within Europe, both the EU and NATO have focused on deterrence by resilience yet have oriented their efforts towards different strategic areas. A few cyber powers started to build up their offensive and defensive cyber capabilities. Likewise, the EU and NATO have begun corralling their respective members to establish common defensive capabilities. However, only a few countries within the EU and NATO can thus far deploy offensive capabilities. There are numerous challenges to military cyber operations. They relate to accountability, state-society attacks and norms of behavior in cyberspace.

1. Offensive cyber operations frequently take place with little oversight and accountability. This is in part due to their unclear organizational structure, typically housed somewhere in between intelligence services of the military and private sector contractors. They need to develop more sustained oversight and accountability mechanisms in order to ensure their legitimacy and longevity. The shift of US Cyber Command away from the NSA in order to “draw cleaner lines between the government’s military and intelligence cyber functions” presents a particularly interesting example, as it sets a trend for a stronger split between military and so-called loud cyber weapons on the one hand, and intelligence cyber operations on the other.

2. In the debates about cyber security and cyberwar, the usage of cyber attacks as a tool of state repression has thus far received insufficient attention. States engaging in cyber attacks against their citizens have become increasingly common in the past decade, with steadily escalating forms of attacks. Examples include the Syrian government’s shutdown of mobile phone networks in close coordination with military operations, the Tunisian government actively stealing the data of all Gmail users based in Tunisia around the time of the Tunisian uprisings, and the government of Pakistan shutting down all mobile phone and Internet connections in the country. While it is common for experts to discuss a potential cyber attack on critical infrastructure by third parties – such as the purported shutdown of the North Korean internet by US government operatives – it often happens that states are just as eager to attack their own critical communications infrastructure. Such cyber attacks by states against their own infrastructure degrade the quality of their societies and harm economic development. Such attacks are typically employed around elections and mass protests, and are swiftly becoming a global phenomenon.

3. Freedman is also right in pointing out that the main objective now “has to be to encourage the development of an international order in which there are formidable restraints on the use of cyber force. So far, the quest for agreement on common norms for state behavior in cyberspace has met only mixed success. As early as 2000, the UN General Assembly called on states “to ensure that their laws and practices eliminate safe havens for those who criminally misuse information technologies.” The UN Group of Governmental Experts (GGE) picked up this idea in its final report of June 2015. According to the report, all states shall ensure that their territories, and especially the computer systems and infrastructure situated there or otherwise under the states’ control, is not misused for attacks on the infrastructure of other states. The GGE recommended that states “seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions.” This emphasizes an approach focused on hardening existing infrastructure and mitigating the risks emanating from such infrastructure. After all, each individual vulnerability, each cyber attack and each weakness in defensive capacity leads to individual users losing control of their devices and weakens the internet as a whole. Ensuring the stability and integrity of the internet is a crucial goal for policy makers. In the words of the GGE, it is a “key question for international peace and security.”

A version of this article appeared in print in February, 2017, with the headline “If you want peace, prepare for peace”.

Annegret Bendiek is a senior associate at the German Institute for International and Security Affairs (SWP) for EU collective foreign and security policy

Ben Wagner researches digitization in international policy at the German Institute for International and Security Affairs (SWP).