Deterrence by Norms to Stop Interstate Cyber Attacks
- 1.5k Downloads
Paradoxically, state actors often play a central role in the escalation of cyber attacks. State-run cyber attacks have been launched for espionage and sabotage purposes since 2003. Well-known examples include Titan Rain (2003), the Russian attack against Estonia (2006) and Georgia (2008), Red October targeting mostly Russia and Eastern European Countries (2007), Stuxnet and Operation Olympic Game against Iran (2006–2012). In 2016, a new wave of state-run (or state-sponsored) cyber attacks ranged from the Russian cyber attack against Ukraine power plant,1 to the Chinese and Russian infiltrations US Federal Offices,2 to the Shamoon/Greenbag cyber-attacks on government infrastructures in Saudi Arabia.3
[…] about the risk of escalation and retaliation in cyberspace […]. Such activities could have a destabilizing effect on international peace and security. We stress that the risk of interstate conflict as a result of ICT incidents has emerged as a pressing issue for consideration. […], (G7 Declaration 2017, 1).
This trend will continue. The relatively low entry-cost and the high chances of success mean that states will keep developing, relying on, and deploying cyber attacks. At the same time, the ever more likely AI leap of cyber capabilities (Cath et al. 2017)—the use of AI and Machine Learning techniques for cyber offence and defence—indicates that cyber attacks will escalate in frequency, impact, and sophistication.
Historically, escalation of interstate conflicts has been arrested using offensive or political strategies, sometimes in combination. Both have been deployed in cyberspace. The first failed; the second needs to be consolidated and enforced (Taddeo and Glorioso 2016a, b).
1 The Offensive Strategy
Escalation follows from the nature of cyber attacks and the dynamics of cyberspace (Floridi and Taddeo 2014; Taddeo 2014, 2016, 2017). Non-kinetic cyber attacks—aggressive attacks that do not cause destruction or casualties, e.g. deploy zero-day exploits or DDoS attacks—cost little in terms of resources and risks to the attackers, while having high chances to be successful. At the same time, cyber defence is porous by its own nature (Morgan 2012): every system has mistakes or bugs in the program (vulnerabilities), identifying and exploiting them is just a matter of time, means, and determination. This makes even the most sophisticate cyber defence mechanisms ephemeral and, thus, limits their potential to deter new attacks. And even when successful, cyber defence does not lead to strategic advantages, insofar as dismounting a cyber attack may bring tactical success, but very rarely leads to the ultimate defeating of an adversary (Taddeo 2017). This creates an environment of persistent offence (Harknett and Goldman 2016), where attacking is tactically and strategically more advantageous than defending.
In this scenario, state actors make policy decisions to protect their abilities to launch cyber attacks. ‘Strategic ambiguity’ is one of such decisions. According to this policy, states decide neither to define and nor inform the international community about their red lines—thresholds that once crossed would trigger state response—for non-kinetic cyber attacks (Taddeo 2011).
By fostering ambiguity, state actors also leave open for themselves a wider room for manoeuvring. Strategic ambiguity allows state actors to deploy cyber attacks for military, espionage, sabotage, and surveillance purposes without being constrained by their own policies or international red lines. This makes ambiguity a dangerous choice, one that is strategically risky and politically misleading.
Currently most countries, including ours, don’t want to be incredibly specific about the red lines for two reasons: You don’t want to invite people to do anything they want below that red line thinking they’ll be able to do it with impunity, and secondly, you don’t want to back yourself into a strategic corner where you have to respond if they do something above that red line or else lose credibility in a geopolitical sense.4
The risks come with the cascade effect following the absence of clear thresholds for cyber attacks. The lack of thresholds facilitates a proliferation of offensive strategies. This, in turn, favours an international cyber arms race and the weaponization of cyberspace, which ultimately spurs the escalation of cyber attacks. In parallel, while seeking to maintain uncertainty about red lines to deter prospective cyber attacks, it actually ends up leaving unbounded (state and non-state run) non-kinetic cyber attacks, which are indeed the great majority of cyber attacks.
Clearly, short of an ultimate victory, offensive strategy leads to policy hazards that fuel, rather than arresting, escalation of interstate cyber attacks. Cyber attacks would be deterred more effectively by a regime of international norms that makes attacks politically costly to the point of being disadvantageous for the state actors who launch them.
2 The Political Strategy
Over the past twenty years, the UN, the Organisation for Cyber Security and Co-operation in Europe (OSCE), and the ASEAN Regional Forum (ARF) and several national governments (G7 and G20) have convened consensus to define such a regime. The time has now come to strengthen and implement it.
The G7 Declaration is the latest of a series of successful transnational initiatives made in this direction before the recent failure of the UN Group of Government Experts (UN GGE) on ‘Developments in the field of information and telecommunications in the context of international security’.5
Like the UN GGE recommendations, the G7 Declaration identifies two main instruments: confidence building measures (CBMs) and voluntary norms. CBMs foster trust and transparency among states. In doing so, they favour co-operations and measures to limit the risk of escalation. CBMs range from establishing contact points, shared definitions of cyber-related phenomena, and communication channels to reduce the risk of misperception, and foster multi-stakeholder approach.
Voluntary norms identify non-binding principles that shape state conduct in cyberspace. De facto, voluntary norms identify red lines for state run non-kinetic cyber attacks and, thus, fill the void created by strategic ambiguity. They stress that states should not target critical infrastructures and critical information infrastructures of the opponent (norms 6, 8, and 11 of the G7 Declaration); should avoid using cyber attacks to violate intellectual property (norm 12 of the G7 Declaration); and remark the responsibility of state actors to disclose cyber vulnerabilities (norms 9 and 10 of the G7 Declaration).
9. […] States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
These norms tackle one of the key mechanisms of the cyber arm race: state actors acquiring cyber vulnerabilities with the aim of exploiting rather than disclosing or patching them. Norms 9 and 10 have been widely mentioned in the aftermath of the recent WannaCry attack, which ran on a vulnerability (EternalBlue) identified and not disclosed by the UN National Security Agency.6 If respected, these norms would have helped to avert the attack. Interestingly, despite being one of the signatories of the G7 Declaration (as well as being represented in the 2015 UN GGE that first drafted these principles), the US did not face any measures or sanctions following the violation of these norms. This unveils the main problem with existing political strategies to stop escalation of cyber conflicts: the lack of any binding, coercive strength.
10. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure.
The voluntary, non-binding nature of these norms transforms them—and the entire G7 Declaration—in a formal exercise, devoid of any political strength, and thus unable to reach its goal. A step forward is necessary to overcome this stalemate.
The time has arrived for international consensus to be turned into multi-lateral agreements, and to transform voluntary norms into binding ones. This will provide the foundation for an international regime of norms delineating permissible and non-permissible state actions in cyberspace. Without this regime, cyber attacks will continue to be the elective choice of state actors and will contribute to fuelling cyber arm race, making cyber stability a chimera.
Once defined and agreed upon, this regime will have to be enforced. The enforcement requires an independent authority able to exert coercive power and impose sanctions. This authority cannot (and should not) be the result of a multi-stakeholder or a neutral, private-led initiative. This would impose too heavy responsibilities on the private sector and create an authority too weak to bear the political pressure resulting from ensuring state compliance with an international cyber regime. In the same vein, national internal policies for states to verify their own compliance with the regime would be just a different way to endorse voluntary norms.
Enforcing this regime requires an authority able to (1) convene agreement about international norms, (2) verify states compliance with the norms at an international level, (3) launch investigations into suspected state-run (or state-sponsored) cyber attacks to ascertain attribution, (4) expose breaches of the norms and the sources of illegitimate cyber attacks, and (5) impose adequate sanctions and punishments. Achieving (1)–(5) necessitates the coordination of intelligence, political, and diplomatic capabilities, and extremely advanced technical skills, as well as the authority and apparatus to enforce sanctions and punishment. (1)–(5) define a politically-loaded mandate for an authority that will have a deep impact on international relations and geo-political equilibriums.
Indeed, the UN Security Council has the necessary resources, the political, and coercive power to deliver successfully (1)–(5). The time has come to embrace this power to consolidate and enforce an international regime of norms to deter cyber attacks and limit cyber arm race, while fostering peace. Problems, mistakes, and even failures—like the failure of the UN GGE to agree on norms, rules, and principles for responsible state’s conduct in cyberspace—are to be expected but they must not hinder the process. The alternative is a militarized cyberspace threatening, rather than fostering, the flourishing of our societies.
[…] to promote the establishment and maintenance of international peace and security with the least diversion for armaments of the world’s human and economic resources, the Security Council shall be responsible for formulating, with the assistance of the Military Staff Committee […] plans for the establishment of a system for the regulation of armaments.7
In a vicious cycle, cyber attacks and cyber arm race feed one each other. Together, they pose serious threats to the stability of cyberspace and, in turn, to the security and the peace of information societies. Where offensive strategies have failed to break this cycle, political strategies must succeed.
- Floridi, L, & Taddeo, M., (Eds.) (2014). The ethics of information warfare. Law, governance and technology series, Vol 14. Heidelberg: Springer.Google Scholar
- G7 Declaration. (2017). G7 Declaration on responsible state behavior in cyberspace. Lucca. http://www.mofa.go.jp/files/000246367.pdf..
- Harknett, R. J., & Goldman, E. O. (2016). The search for cyber fundamental. Journal of Information Warfare, 15(2), 81–88.Google Scholar
- Taddeo, M, & Glorioso, L., (Eds.) (2016a). Ethics and policies for cyber operations. Philosophical studies, Springer.Google Scholar
- Taddeo, M., & Glorioso, L., (Eds.) (2016b). Regulating cyber conflicts and shaping information societies. In Ethics and policies for cyber operations. Philosophical studies series. Berlin: Springer.Google Scholar
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.