Allan Cytryn, Nazli Choucri, Michael Dukakis, Ryan C. Maness, Tuan Nguyen, Derek S. Reveron, John E. Savage, and David Silbersweig
At the 2016 G-7 Summit at Ise-Shima, Japan, countries affirmed their commitment to support an open, secure, and reliable cyberspace through the application of international law to state behavior in cyberspace, voluntary norms of responsible state behavior in peacetime, and close cooperation against malicious cyber activity. Absent from formal communiqué were statements on cyber conflict. While cyber-enabled criminal activity and espionage preoccupy cyber discussions today, dozens of countries are building military cyber commands. Given the potential devastation a cyber conflict with advanced cyber weaponry would bring civilian populations; it is essential to develop ways to prevent the proliferation of cyber weaponry. Thus far, states have shown remarkable restraint in using overt cyber weaponry, the exceptions being acts such as Stuxnet and Shamoon. It is important that the international community build upon this restrained behavior and push toward norms that would make their use taboo.
Cyber weapons are new, not well understood, and if not properly controlled, likely to lead to escalation, a process that can lead to serious unexpected consequences, including conventional war. Development costs are minuscule relative to conventional military power and has expanded the range of threats. Differentiating the intent of software designed for espionage from a cyber weapon, designed for sabotage is easily confused that can cause miscalculation. Thus, implantation of foreign software in an adversary’s military or critical infrastructure systems poses a serious threat of both harm and escalation. In a worst-case scenario, if a computer system in question consists of a state’s nuclear weapons command and control center, nuclear conflict may result especially with states locked in unresolved conflict, such as India and Pakistan.
Under the UN Charter, an attack is a use of force, to which states have the right to self-defense. We define a cyber attack to be an action launched via computer and/or networking technology that either produces physical damage equivalent to the use of force or corrupts critical information sufficient to cause damage to the national welfare akin to that produced by the use of force. We define cyber to be a conflict that largely consists of cyber attacks. Given the novelty of cyber conflict and the opportunities for miscalculation, cyber conflict has the potential to lead to conventional conflict using both kinetic and cyberspace technologies. In the event countries think they may lose a capability due to a cyberattack, they could prematurely escalate a conflict through pre-emptive military strikes.
Targets of cyber attacks could be a) a nation’s military command and control system, which includes military satellites, its logistical systems, and one of its major wartime commands; b) its economy, which includes its critical infrastructure such as power, water and banking; or c) operation of its system of governance, including its major agencies and its national electoral system. Whether the damage done by a cyber action arises to the level of force will need to determined. However, loss of GPS during a period of heightened tensions could be considered a use of force, as could the disabling of a significant fraction of the electricity grid of a state under similar circumstances. Altering the outcome of the election of a national executive, an act tantamount to the forceful replacement of the executive, may also rise to a use of force.
Because national economies are much more tightly integrated today than at any previous time in human history, cyber conflict, whether it escalates to kinetic warfare or not, is likely to cause serious economic or political damage to many states. Given how widespread a cyberattack can be impacting telecommunications, banking, and power generations, civilians are at grave risk. Citizens regardless of nationality are exposed to risks created by cyber insecurity. International cooperation is essential and countries must prioritize ways to reduce the risk of cyberwar.
Yet the use of cyber weapons that do physical harm remain rare, and we must promote their non-use further, while at the same time recognizing the proliferation of certain types of acts that continue to have real impact: espionage and disruptive cyber events. Chinese espionage on US intellectual property has had real monetary impacts in the billions of dollars. Russian disruptive campaigns against the electoral processes in the West have sown discontent in institutions among these populations. The prevention of these types of attacks should be at the forefront, as their continued use could lead to retaliation with cyber and conventional weapons, and possibly major power war. The battle over information is being fought now, and measures must be taken to stem its tide.
Progress has been made in this battle. As a result of a bilateral agreement between the United States and China struck in September 2015, the incidence of “theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors” has greatly subsided. (See http://www.nbcnews.com/news/us-news/russia-may-be-hacking-us-more-china-hacking-us-much-n664836.)
Risk reduction must begin with identification of critical assets and the risks to which they are exposed. States must then create a system to reduce risks. This will include acquiring the necessary expertise, whether available domestically or not, to reduce software vulnerabilities and cooperate with other nations to improve transparency. This cooperation can take the form of information sharing, bilateral and multilateral agreements, articulation of norms of state behavior, and the creation of risk reduction centers designed to control escalation and equipped with “hot lines” to other national risk reduction centers.
Restraint is strengthened by implementing norms against unacceptable behaviors and creates a more mindful attitude towards using cyber systems. Fostering collective action, which is necessary to protect cyber capabilities needed by individuals, groups, and societies, enhances restraint. There may be a time when the international community establishes an international center to monitor and combat cyber threats, and to coordinate actions to protect computer systems and disrupt non-state actors that operate in cyberspace. States may have to surrender some sovereignty to do this, but it may be reflective of the non-sovereign Internet.
Cyber risk reduction begins with adherence to the GGE Norms (UN A/70/174), the G7 Ise-Shima norms, and the G20 Norms. However, it goes beyond these and should include the following measures:
- Sharing in depth of best practices to secure computers and networks.
- Public identification of critical national infrastructure asset classes.
- National prioritization of assets by value.
- Reduction of the risk of compromise of high-priority assets.
- Creation and proper manning of risk reduction centers.
- Establishment of regular security drills both domestically and with other risk reduction centers.
- Banning of the implantation of software in another state’s high-value systems during peacetime.
- Applying the law of armed conflict in cyberspace.
- Improving attribution through forensics and context.
Cyber attacks present a new danger to the security of states. Thus, states are urgently encouraged to begin discussion of mechanisms to address these issues.