Destroying the Ring-Fence: Cyber Stability in Wider International Security Calculus Introduction When the ring-fence around your pasture gets broken, your cattle may wander outside, or predators may get in. Neither is a good thing. Imagine States as cattle: They roam around a well-defined pasture, called the international security system. Multiple instruments of international law -- bilateral agreements as well as multilateral norms, rules, principles and procedures to which states adhere form the ring-fence surrounding that pasture. Now, the ring-fence has been broken. The ram that tore it down is cyber technology. Two things are happening as a consequence: First, states wander outside. They begin exploring the world beyond the fence, in this case cyberspace. They find it confusing, even irritating. In the words of U.S. settler and pioneer Ebenezer Bryce: A hell of a place to lose a cow (Bryce was describing the canyon later named in his honor). Second, predators are getting in criminals and terrorists. A New Challenge to the International Security system Numerous states are pursuing military cyber-capabilities. In many instances, these are defensive; in others they may be offensive, but limited to supporting traditional military operations. Often, we do not know. The United Nations Institute for Disarmament Research, in its most recent Cyber Index, found on the basis of publicly available information that there were 114 national cyber security programs world-wide. According to this index, forty-seven states have cyber-security programs that give some role to the armed forces. Cyber capabilities are not limited to great military powers. This sets them apart from traditional military capabilities. They even transcend the established lines of state-centered warfare: A private actor be it a legitimate business, a 1
criminal, or a terrorist cannot usually obtain, train and use weapons of war. In the electronic world, private hackers developing malware are a fact of life; their services are easily for hire by anybody who pays. Stories of how criminals are using the internet for their purposes have become commonplace. It is no coincidence that the first international convention designed to address cyberspace is the 2001 Budapest Cybercrime Convention. The step from common crime to politically motivated acts, even terrorism, is not far. We know that Al Qaida is skillfully using the internet as a propaganda and recruitment tool. We cannot exclude that terrorist groups will try to go the next mile and use the net for cyber-terrorism Cyber stability is affecting international security calculus. An exclusive, all-out cyber-war has not happened, but as part of conflicts, hostile cyber action has been taken: 2007 against Estonia; 2008 against Georgia, 2010 against Iran, 2013 against South Korea, at other times when we did not even notice. In the context of the Syrian war, denial-of-service attacks have been reported against U.S. news outlets and financial institutions. Cyber action is not limited to cyber space. It can cross domains and create real damage in the physical world. The Stuxnet virus resulted in the destruction of centrifuges; one might also think of a virus disrupting a country s power supply, which would have tremendous physical consequences in any advanced industrial society. Cyber Capabilities and International Security Calculus Traditional political-military strategies predate the existence of a global information and communications network, used almost universally and upon which much of the world economy relies. Cyber capabilities do not fit into these strategies. However, it would be risky to ignore this new reality, along the lines of French Marshal Ferdinand Foch, who famously remarked in 1911: «Les avions sont des jouets intéressants, mais n ont aucune utilité militaire.» During the Cold War, the opposing parties built their defense on the idea that the best defense is to deter an enemy state from attacking. This is not an entirely new thought the Romans had the proverb Si vis pacem para 2
bellum, and the same idea is present also in earlier works, such as Plato's Nomoi. There is a corollary: In the event of a failure of deterrence, an adversary should be denied the success of his or her action. Deterrence and denial require that the consequences of any attack be clearly and credibly communicated to any potential adversary. This is next to impossible in cyberspace: Actors may not be known; they do not even have to be states. Perpetrators show great skill in hiding behind multiple screens. Uncertainty about the origin of hostile cyber-action is a characteristic of cyber-incidents. This makes it impossible to threaten negative consequences of such action, and to do so with any degree of credibility. Under such circumstances, deterrence does not work. Denial raising the cost of an attack so as to make a success worthless is difficult, if not impossible in a field where technology is rapidly advancing. With processing speeds doubling roughly every eighteen months, today s impenetrable protection quickly becomes an insufficient shield. If political-military strategies fail to account for cyber capabilities, so does traditional arms control: The 1968 Nuclear Non-Proliferation Treaty differentiates between five nuclear powers and those signatory states that do not have nuclear weapons. By comparison, it would be foolish to negotiate an arms control or even disarmament treaty for cyber-weapons, given the potentially unlimited number of actors that can procure computer malware. The difficulties of defining a Cyber Weapon in the first place need no mention. Cyber Conflict Scenarios What are the scenarios for cyber conflict? I would like to sketch three. Each of them leads to a distinct set of questions and conclusions. The scenarios are (1) all-out cyber-war, (2) the limited use of cyber capabilities as part of a larger warfighting effort, and (3) an international military crisis developing from a cyber-action. 3
1. All-out cyber war. The idea may hold some attraction that a cyber-attack could cripple a country s military force, economy and communication, defeating it without a shot. Could this be a humane war? Even if this was the case and this is up for debate all-out cyber war seems unlikely at present. Andrew Lewis, who studies cyber issues for the Center for Strategic and International Studies, has argued convincingly: "A full-blown, no-holds-barred cyber-attack against critical infrastructure and networks might be able to reproduce the damage wrought by Hurricane Katrina, with crucial services knocked out and regional economic activity severely curtailed. While Katrina brought immense suffering and hardship, it did not degrade U.S. military capabilities and would not have led to a U.S. defeat. Multiple, simultaneous Katrinas would still not guarantee victory and could risk being seen as an existential threat that would justify a harsh kinetic response." (James Andrew Lewis, Cyber Attacks, Real or Imagined, and Cyber War, Center for Strategic and International Studies, 2011). The term cyber war is inadequate. It conjures a misleading picture of the threat situation in cyberspace, and of the possible countermeasures. Cyber war implies an extensive, existential threat to a state solely through targeted attacks by other states on computer systems and IT networks, or through other actions in cyberspace. For the foreseeable future, cyberspace will not be the exclusive environment of any conflict that might be qualified as war(-fare). Nevertheless, it would be unwise to exclude the possibility that someone might attempt all-out cyber war. Anticipating such an eventuality, important questions arise: Is a state authorized, under international law, to respond to hostile cyber action by the use of force? Is there a threshold? The United Nations Charter says, in Article 51, that states have the right to self-defense in the event of an armed attack. But is hostile cyber-action an armed attack? In Germany s opinion, this depends on its scale and effects: If a state finds itself the target of a cyber-operation with effects comparable to an armed attack, it may exercise its right of self-defense. 4
2. Limited use of cyber capabilities as part of a larger warfighting effort A more likely scenario seems to be the limited use of cyber capabilities as part of a larger warfighting effort. Cyber-attacks in combination with conventional means of conflict can pose a major threat, for which we must prepare. All countries today rely on modern information and communication technology (ICT), albeit to a varying extent. Even where the military duplicates civilian infrastructure, e.g. by using its own communications network without link to the internet, ICT plays a role: In the internet of things, Web 3.0, machines rely on ICT to work. And even if a military should forego such machines, proceeding, e.g. without satellite communication and GPS, the underlying civilian economy can no longer be expected to work without using modern ICT. This is why cyber action must be expected to form part of any future warfighting effort. As part of a larger war effort, the effect of cyber capabilities on international security calculus is limited. Nevertheless, this realization leads to questions which beg discussion: Are there cyber acts that would be unacceptable under international law? I am thinking of action that could have important negative consequences on the civilian population, such as attacks on certain critical infrastructure, nuclear power plants or hospitals. They might well be inadmissible under the general rules of international law aimed at protecting civilians from the indiscriminate effects of weapons and combatants from unnecessary suffering. The two scenarios presented so far illustrate that we need to engage in an international discussion on the norms and principles of responsible state behavior in cyber space, including on the conduct of cyber warfare. Agreed international rules, principles and norms will help enhance transparency and predictability of state behavior in cyberspace. The Tallinn Manual, presented 15 March 2013, was a valuable step in this direction. However, the Tallinn Manual is neither universally accepted, nor is it an official document: It is an expression of opinions by a group of independent experts, acting solely in their personal capacity. To establish a universal understanding of the norms and principles of responsible state behavior in cyber space, we need to turn to the United 5
Nations. The last group of Group of Governmental Experts on Developments in the Field of Information and Telecommunications (GGE) has done important work in this direction. Its June 2013 report to the UN Secretary General has made clear that international law, and in particular the UN Charter, is applicable to cyber space and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment. At the same time, the GGE found that state sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory. It was a good decision by the General Assembly, in its resolution A/C.1/68/L.37 of 27 December 2013, to mandate a new GGE to study, with a view to promoting common understandings, existing and potential threats in the ICT sphere and possible cooperative measures to address them, including norms, rules or principles of responsible behavior of states and how international law applies to the use of ICT by states. Any discussion on the norms and principles of responsible state behavior in cyber space must be based on the understanding that international law, and in particular the UN Charter, is applicable to the ICT environment. An important consequence that follows from the premise that existing law represents the appropriate framework for activity in cyberspace is that individuals enjoy the same universal human rights offline as online. This includes the freedom of expression -- including the freedom to seek and impart information --, the freedom of assembly and association, and the right to privacy, as the UN General Assembly unanimously confirmed in December 2013. 3. Military crisis developing from cyber incident. The dependence of the modern world on ICT carries the danger that cyber incidents may escalate into real-life conflict. Consider the following scenario: A country is in a tense political situation. Relations with a neighboring state are strained. All of a sudden, the main telephone and internet provider becomes victim to a software bug. Nobody can make phone calls, there are no e-mails. With electronic communications down, the banking system collapses. News web-sites cannot be reached, there are no mass media. Government, economy and also security services are paralyzed. The situation deteriorates: Trains run 6
no longer, airplanes cannot fly, the power grid collapses, and sanitation breaks down. Hospitals have no water or lights, food distribution collapses, security services are incommunicado All because of a little, hard-to-detect software bug. Who planted this bug? For what reason? Suspicions run high that the less friendly neighbor perpetrated a cyber-attack. The danger of escalation is evident. The realization that cyber action may easily escalate into a military crisis illustrates the need for confidence and security-building measures. Regional organizations may play a special role in this context: They bring together those states that are most likely to have difficult relations. It is far more likely that two neighbors share a dispute over a border area, the delineation of a sea border, or the use of natural resources than that two faraway countries are in conflict. Regional organizations provide a forum for such neighbors to talk, and, ideally, to resolve their grievances. This is especially valuable regarding cyber action during crises or conflict. Since the perpetrators of hostile cyber action are difficult to identify, a state that is victim to such action has to guess who is responsible. Chances are that suspicions will fall on a neighbor with whom relations are strained. If, on the other hand, relations are relaxed and mechanisms exist to resolve any incipient disputes, the danger of escalating tensions over a hostile cyber act is much reduced. The OSCE has recently made important progress on this front. In December 2013, the OSCE Council of Ministers has approved a first set of confidencebuilding measures. Participating States have agreed, inter alia, on the following voluntary steps: Providing their national views on various aspects of national and transnational threats to and in the use of Information and Communication Technologies; Facilitating co-operation among the competent national bodies and exchanging information; Holding consultations in order to reduce the risks of misperception, and of possible emergence of political or military tension or conflict that may stem from the use of Information and Communication Technologies; 7
Sharing information on measures that they have taken to ensure an open, interoperable, secure, and reliable Internet, and on their national organization; strategies; policies and programs; Using the OSCE as a platform for dialogue, exchange of best practices, awareness-raising and information on capacity-building; Nominating contact points; and Providing a list of relevant national terminology. OSCE Participating States have agreed that they will, at the level of designated national experts, meet at least three times each year, to discuss information exchanged and explore appropriate development of CBMs. The OSCE may serve as a model for other regional organizations. Germany is already engaging with other regional organizations, such as UNASUR and the ARF, supporting their work on enhancing cyber stability. We are looking forward to deepening and widening this engagement. This is also in response to the UN GGE recommendation, in its June 2013 report, to support regional, multilateral and international capacity building efforts to secure ICT use and ICT infrastructures. Conclusion Cyber capabilities have broken the ring-fence of international security. It needs to be mended. While all-out cyber-war seems unlikely at present, the limited use of cyber capabilities as part of a larger warfighting effort is a reality. The United Nations is the right forum to foster a discussion on the norms and principles of responsible state behavior in cyber space, including the use of cyber means during conflict. Agreed international rules, principles and norms will help enhance transparency and predictability. To account for the danger of military crisis developing from cyber incidents, confidence and security building measures are important. Regional organizations, such as the OSCE, can and should play an important role in this regard. 8
In the words of J.R.R. Tolkien: The world is full enough of hurts and mischances without wars to multiply them. When Tolkien wrote these words, he was no thinking of a ring-fence, and certainly not of cyber conflict. But although the writer was thinking of an entirely different ring, his words hold true. 9