Destroying the Ring-Fence: Cyber Stability in Wider International Security Calculus

Similar documents
THE MILITARY STRATEGY OF THE REPUBLIC OF LITHUANIA

SACT s remarks to UN ambassadors and military advisors from NATO countries. New York City, 18 Apr 2018

9. Guidance to the NATO Military Authorities from the Defence Planning Committee 1967

Annex 1. Guidelines for international arms transfers in the context of General Assembly resolution 46/36 H of 6 December 1991

SUMMARY OF NATIONAL DEFENSE PROGRAM GUIDELINES. for FY 2011 and beyond

ALLIANCE MARITIME STRATEGY

Bridging the Security Divide

CYBER SECURITY PROTECTION. Section III of the DOD Cyber Strategy

The State Defence Concept Executive Summary

CONSOLIDATED NATIONAL NUCLEAR SECURITY REPORT

MINISTRY OF DEFENCE REPUBLIC OF LATVIA. The State Defence Concept

Statement by. Brigadier General Otis G. Mannon (USAF) Deputy Director, Special Operations, J-3. Joint Staff. Before the 109 th Congress

NATO MEASURES ON ISSUES RELATING TO THE LINKAGE BETWEEN THE FIGHT AGAINST TERRORISM AND THE PROLIFERATION OF WEAPONS OF MASS DESTRUCTION

NATO UNCLASSIFIED. 6 January 2016 MC 0472/1 (Final)

The best days in this job are when I have the privilege of visiting our Soldiers, Sailors, Airmen,

Cyber Strategy & Policy: International Law Dimensions. Written Testimony Before the Senate Armed Services Committee

HOMELAND SECURITY PRESIDENTIAL DIRECTIVE-4. Subject: National Strategy to Combat Weapons of Mass Destruction

NATIONAL DEFENSE PROGRAM GUIDELINES, FY 2005-

AIR COMMAND AND STAFF COLLEGE AIR UNIVERSITY UNDERSTANDING THE UNIQUE CHALLENGES OF THE CYBER DOMAIN. Kenneth J. Miller, Major, USAF

The New Roles of the Armed Forces, and Its Desirable Disposition

2. Deterring the use of nuclear. 4. Maintaining information superiority. 5. Anticipating intelligent systems

Global Vigilance, Global Reach, Global Power for America

Chapter 4 The Iranian Threat

A/55/116. General Assembly. United Nations. General and complete disarmament: Missiles. Contents. Report of the Secretary-General

The Role of Exercises in Training the Nation's Cyber First-Responders

It is now commonplace to hear or read about the urgent need for fresh thinking

I. Description of Operations Financed:

US-Russian Nuclear Disarmament: Current Record and Possible Further Steps 1. Russian Deputy Foreign Minister Sergei Ryabkov

In order to cross the walls of the city, not a single act of violence was needed. All that was needed was the good faith and naivety of the enemy.

Arms Control and Disarmament Policies: Political Debates in Switzerland

Headline Goal approved by General Affairs and External Relations Council on 17 May 2004 endorsed by the European Council of 17 and 18 June 2004

UNIDIR RESOURCES IDEAS FOR PEACE AND SECURITY. Practical Steps towards Transparency of Nuclear Arsenals January Introduction

Challenges of a New Capability-Based Defense Strategy: Transforming US Strategic Forces. J.D. Crouch II March 5, 2003

Why Japan Should Support No First Use

2017 Washington Model Organization of American States General Assembly. Crisis Scenario Resolution. General Committee

DPKO Senior Leadership Induction Programme (SLIP) January 2009, United Nations Headquarters, New York

Reconsidering Deterrence in Cyberspace October 2013 James A. Lewis, Center for Strategic and International Studies 1

COE-DAT Course Catalog. Introduction

Methodology The assessment portion of the Index of U.S.

Force 2025 Maneuvers White Paper. 23 January DISTRIBUTION RESTRICTION: Approved for public release.

Overview of Safeguards, Security, and Treaty Verification

Army Operating Concept

The National Military Strategy of the United States of America

How Everything Became War and the Military Became Everything: Tales from the Pentagon Rosa Brooks New York: Simon & Schuster, 2016, 448 pp.

Section 6. South Asia

The Nuclear Powers and Disarmament Prospects and Possibilities 1. William F. Burns

International Nonproliferation Regimes after the Cold War

1

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release January 17, January 17, 2014

UNCLASSIFIED. Unclassified

Applying Jus Ad Bellum in Cyberspace Barnett 0. Applying Jus Ad Bellum in Cyberspace: The Use of Force, Armed Attacks, and the Right of Self-Defence

This block in the Interactive DA Framework is all about joint concepts. The primary reference document for joint operations concepts (or JOpsC) in

Big data in Healthcare what role for the EU? Learnings and recommendations from the European Health Parliament

ARMS CONTROL, EXPORT REGIMES, AND MULTILATERAL COOPERATION

Africa & nuclear weapons. An introduction to the issue of nuclear weapons in Africa

USCYBERCOM 2018 Cyberspace Strategy Symposium Proceedings

United Nations Security Council Resolution 1540: Voluntary National Implementation Action Plans

National Defense University. Institute for National Strategic Studies

Radiological Nuclear Detection Task Force: A Real World Solution for a Real World Problem

National Security & Public Affairs

SECTION 4 IRAQ S WEAPONS OF MASS DESTRUCTION

Impact of Proliferation of WMD on Security

A/56/136. General Assembly. United Nations. Missiles. Contents. Report of the Secretary-General

Annex X. Co-chairmen's Report ARF-ISG on CBMs Defense Officials' Dialogue

Dear Delegates, It is a pleasure to welcome you to the 2014 Montessori Model United Nations Conference.

Montessori Model United Nations. First Committee Disarmament and International Security

AIR FORCE CYBER COMMAND STRATEGIC VISION

WEAPONS TREATIES AND OTHER INTERNATIONAL ACTS SERIES Agreement Between the UNITED STATES OF AMERICA and ROMANIA

Strategic Deterrence for the Future

Chapter 17: Foreign Policy and National Defense Section 3

24th Air Force/ AFCYBER Delivering Outcomes through Cyberspace

Information Operations

provocation of North Korea

A FUTURE MARITIME CONFLICT

AMERICA S ARMY: THE STRENGTH OF THE NATION Army G-3/5/7. AS OF: August 2010 HQDA G-35 (DAMO-SSD)

IRAQI NATIONAL REPORTS 2010 FOR SMALL ARMS

Does President Trump have the authority to totally destroy North Korea?


October 13th, Foreword

COUNCIL DECISION 2014/913/CFSP

Su S rface Force Strategy Return to Sea Control

Introduction. A Challenging Global Security Environment

Air-Sea Battle & Technology Development

Building a Deterrence Policy Against Strategic Information Warfare

We Produce the Future

This report is a product of the Defense Science Board (DSB). The DSB is a Federal Advisory Committee established to provide independent advice to the

Steven Pifer on the China-U.S.-Russia Triangle and Strategy on Nuclear Arms Control

Role and Modernization Trends of China s Second Artillery

International Instrument to Enable States to Identify and Trace, in a Timely and Reliable Manner, Illicit Small Arms and Light Weapons

1 Nuclear Weapons. Chapter 1 Issues in the International Community. Part I Security Environment Surrounding Japan

Question of non-proliferation of nuclear weapons and of weapons of mass destruction MUNISH 11

The 19th edition of the Army s capstone operational doctrine

Military Radar Applications

Adopted by the Security Council at its 4987th meeting, on 8 June 2004

WEST POINT CYBER INITIATIVES

NATIONAL INSTITUTE FOR PUBLIC POLICY. National Missile Defense: Why? And Why Now?

Nuclear Forces: Restore the Primacy of Deterrence

LAB4-W12: Nation Under Attack: Live Cyber- Exercise

SEEKING A RESPONSIVE NUCLEAR WEAPONS INFRASTRUCTURE AND STOCKPILE TRANSFORMATION. John R. Harvey National Nuclear Security Administration

Department of Defense DIRECTIVE

Transcription:

Destroying the Ring-Fence: Cyber Stability in Wider International Security Calculus Introduction When the ring-fence around your pasture gets broken, your cattle may wander outside, or predators may get in. Neither is a good thing. Imagine States as cattle: They roam around a well-defined pasture, called the international security system. Multiple instruments of international law -- bilateral agreements as well as multilateral norms, rules, principles and procedures to which states adhere form the ring-fence surrounding that pasture. Now, the ring-fence has been broken. The ram that tore it down is cyber technology. Two things are happening as a consequence: First, states wander outside. They begin exploring the world beyond the fence, in this case cyberspace. They find it confusing, even irritating. In the words of U.S. settler and pioneer Ebenezer Bryce: A hell of a place to lose a cow (Bryce was describing the canyon later named in his honor). Second, predators are getting in criminals and terrorists. A New Challenge to the International Security system Numerous states are pursuing military cyber-capabilities. In many instances, these are defensive; in others they may be offensive, but limited to supporting traditional military operations. Often, we do not know. The United Nations Institute for Disarmament Research, in its most recent Cyber Index, found on the basis of publicly available information that there were 114 national cyber security programs world-wide. According to this index, forty-seven states have cyber-security programs that give some role to the armed forces. Cyber capabilities are not limited to great military powers. This sets them apart from traditional military capabilities. They even transcend the established lines of state-centered warfare: A private actor be it a legitimate business, a 1

criminal, or a terrorist cannot usually obtain, train and use weapons of war. In the electronic world, private hackers developing malware are a fact of life; their services are easily for hire by anybody who pays. Stories of how criminals are using the internet for their purposes have become commonplace. It is no coincidence that the first international convention designed to address cyberspace is the 2001 Budapest Cybercrime Convention. The step from common crime to politically motivated acts, even terrorism, is not far. We know that Al Qaida is skillfully using the internet as a propaganda and recruitment tool. We cannot exclude that terrorist groups will try to go the next mile and use the net for cyber-terrorism Cyber stability is affecting international security calculus. An exclusive, all-out cyber-war has not happened, but as part of conflicts, hostile cyber action has been taken: 2007 against Estonia; 2008 against Georgia, 2010 against Iran, 2013 against South Korea, at other times when we did not even notice. In the context of the Syrian war, denial-of-service attacks have been reported against U.S. news outlets and financial institutions. Cyber action is not limited to cyber space. It can cross domains and create real damage in the physical world. The Stuxnet virus resulted in the destruction of centrifuges; one might also think of a virus disrupting a country s power supply, which would have tremendous physical consequences in any advanced industrial society. Cyber Capabilities and International Security Calculus Traditional political-military strategies predate the existence of a global information and communications network, used almost universally and upon which much of the world economy relies. Cyber capabilities do not fit into these strategies. However, it would be risky to ignore this new reality, along the lines of French Marshal Ferdinand Foch, who famously remarked in 1911: «Les avions sont des jouets intéressants, mais n ont aucune utilité militaire.» During the Cold War, the opposing parties built their defense on the idea that the best defense is to deter an enemy state from attacking. This is not an entirely new thought the Romans had the proverb Si vis pacem para 2

bellum, and the same idea is present also in earlier works, such as Plato's Nomoi. There is a corollary: In the event of a failure of deterrence, an adversary should be denied the success of his or her action. Deterrence and denial require that the consequences of any attack be clearly and credibly communicated to any potential adversary. This is next to impossible in cyberspace: Actors may not be known; they do not even have to be states. Perpetrators show great skill in hiding behind multiple screens. Uncertainty about the origin of hostile cyber-action is a characteristic of cyber-incidents. This makes it impossible to threaten negative consequences of such action, and to do so with any degree of credibility. Under such circumstances, deterrence does not work. Denial raising the cost of an attack so as to make a success worthless is difficult, if not impossible in a field where technology is rapidly advancing. With processing speeds doubling roughly every eighteen months, today s impenetrable protection quickly becomes an insufficient shield. If political-military strategies fail to account for cyber capabilities, so does traditional arms control: The 1968 Nuclear Non-Proliferation Treaty differentiates between five nuclear powers and those signatory states that do not have nuclear weapons. By comparison, it would be foolish to negotiate an arms control or even disarmament treaty for cyber-weapons, given the potentially unlimited number of actors that can procure computer malware. The difficulties of defining a Cyber Weapon in the first place need no mention. Cyber Conflict Scenarios What are the scenarios for cyber conflict? I would like to sketch three. Each of them leads to a distinct set of questions and conclusions. The scenarios are (1) all-out cyber-war, (2) the limited use of cyber capabilities as part of a larger warfighting effort, and (3) an international military crisis developing from a cyber-action. 3

1. All-out cyber war. The idea may hold some attraction that a cyber-attack could cripple a country s military force, economy and communication, defeating it without a shot. Could this be a humane war? Even if this was the case and this is up for debate all-out cyber war seems unlikely at present. Andrew Lewis, who studies cyber issues for the Center for Strategic and International Studies, has argued convincingly: "A full-blown, no-holds-barred cyber-attack against critical infrastructure and networks might be able to reproduce the damage wrought by Hurricane Katrina, with crucial services knocked out and regional economic activity severely curtailed. While Katrina brought immense suffering and hardship, it did not degrade U.S. military capabilities and would not have led to a U.S. defeat. Multiple, simultaneous Katrinas would still not guarantee victory and could risk being seen as an existential threat that would justify a harsh kinetic response." (James Andrew Lewis, Cyber Attacks, Real or Imagined, and Cyber War, Center for Strategic and International Studies, 2011). The term cyber war is inadequate. It conjures a misleading picture of the threat situation in cyberspace, and of the possible countermeasures. Cyber war implies an extensive, existential threat to a state solely through targeted attacks by other states on computer systems and IT networks, or through other actions in cyberspace. For the foreseeable future, cyberspace will not be the exclusive environment of any conflict that might be qualified as war(-fare). Nevertheless, it would be unwise to exclude the possibility that someone might attempt all-out cyber war. Anticipating such an eventuality, important questions arise: Is a state authorized, under international law, to respond to hostile cyber action by the use of force? Is there a threshold? The United Nations Charter says, in Article 51, that states have the right to self-defense in the event of an armed attack. But is hostile cyber-action an armed attack? In Germany s opinion, this depends on its scale and effects: If a state finds itself the target of a cyber-operation with effects comparable to an armed attack, it may exercise its right of self-defense. 4

2. Limited use of cyber capabilities as part of a larger warfighting effort A more likely scenario seems to be the limited use of cyber capabilities as part of a larger warfighting effort. Cyber-attacks in combination with conventional means of conflict can pose a major threat, for which we must prepare. All countries today rely on modern information and communication technology (ICT), albeit to a varying extent. Even where the military duplicates civilian infrastructure, e.g. by using its own communications network without link to the internet, ICT plays a role: In the internet of things, Web 3.0, machines rely on ICT to work. And even if a military should forego such machines, proceeding, e.g. without satellite communication and GPS, the underlying civilian economy can no longer be expected to work without using modern ICT. This is why cyber action must be expected to form part of any future warfighting effort. As part of a larger war effort, the effect of cyber capabilities on international security calculus is limited. Nevertheless, this realization leads to questions which beg discussion: Are there cyber acts that would be unacceptable under international law? I am thinking of action that could have important negative consequences on the civilian population, such as attacks on certain critical infrastructure, nuclear power plants or hospitals. They might well be inadmissible under the general rules of international law aimed at protecting civilians from the indiscriminate effects of weapons and combatants from unnecessary suffering. The two scenarios presented so far illustrate that we need to engage in an international discussion on the norms and principles of responsible state behavior in cyber space, including on the conduct of cyber warfare. Agreed international rules, principles and norms will help enhance transparency and predictability of state behavior in cyberspace. The Tallinn Manual, presented 15 March 2013, was a valuable step in this direction. However, the Tallinn Manual is neither universally accepted, nor is it an official document: It is an expression of opinions by a group of independent experts, acting solely in their personal capacity. To establish a universal understanding of the norms and principles of responsible state behavior in cyber space, we need to turn to the United 5

Nations. The last group of Group of Governmental Experts on Developments in the Field of Information and Telecommunications (GGE) has done important work in this direction. Its June 2013 report to the UN Secretary General has made clear that international law, and in particular the UN Charter, is applicable to cyber space and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment. At the same time, the GGE found that state sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory. It was a good decision by the General Assembly, in its resolution A/C.1/68/L.37 of 27 December 2013, to mandate a new GGE to study, with a view to promoting common understandings, existing and potential threats in the ICT sphere and possible cooperative measures to address them, including norms, rules or principles of responsible behavior of states and how international law applies to the use of ICT by states. Any discussion on the norms and principles of responsible state behavior in cyber space must be based on the understanding that international law, and in particular the UN Charter, is applicable to the ICT environment. An important consequence that follows from the premise that existing law represents the appropriate framework for activity in cyberspace is that individuals enjoy the same universal human rights offline as online. This includes the freedom of expression -- including the freedom to seek and impart information --, the freedom of assembly and association, and the right to privacy, as the UN General Assembly unanimously confirmed in December 2013. 3. Military crisis developing from cyber incident. The dependence of the modern world on ICT carries the danger that cyber incidents may escalate into real-life conflict. Consider the following scenario: A country is in a tense political situation. Relations with a neighboring state are strained. All of a sudden, the main telephone and internet provider becomes victim to a software bug. Nobody can make phone calls, there are no e-mails. With electronic communications down, the banking system collapses. News web-sites cannot be reached, there are no mass media. Government, economy and also security services are paralyzed. The situation deteriorates: Trains run 6

no longer, airplanes cannot fly, the power grid collapses, and sanitation breaks down. Hospitals have no water or lights, food distribution collapses, security services are incommunicado All because of a little, hard-to-detect software bug. Who planted this bug? For what reason? Suspicions run high that the less friendly neighbor perpetrated a cyber-attack. The danger of escalation is evident. The realization that cyber action may easily escalate into a military crisis illustrates the need for confidence and security-building measures. Regional organizations may play a special role in this context: They bring together those states that are most likely to have difficult relations. It is far more likely that two neighbors share a dispute over a border area, the delineation of a sea border, or the use of natural resources than that two faraway countries are in conflict. Regional organizations provide a forum for such neighbors to talk, and, ideally, to resolve their grievances. This is especially valuable regarding cyber action during crises or conflict. Since the perpetrators of hostile cyber action are difficult to identify, a state that is victim to such action has to guess who is responsible. Chances are that suspicions will fall on a neighbor with whom relations are strained. If, on the other hand, relations are relaxed and mechanisms exist to resolve any incipient disputes, the danger of escalating tensions over a hostile cyber act is much reduced. The OSCE has recently made important progress on this front. In December 2013, the OSCE Council of Ministers has approved a first set of confidencebuilding measures. Participating States have agreed, inter alia, on the following voluntary steps: Providing their national views on various aspects of national and transnational threats to and in the use of Information and Communication Technologies; Facilitating co-operation among the competent national bodies and exchanging information; Holding consultations in order to reduce the risks of misperception, and of possible emergence of political or military tension or conflict that may stem from the use of Information and Communication Technologies; 7

Sharing information on measures that they have taken to ensure an open, interoperable, secure, and reliable Internet, and on their national organization; strategies; policies and programs; Using the OSCE as a platform for dialogue, exchange of best practices, awareness-raising and information on capacity-building; Nominating contact points; and Providing a list of relevant national terminology. OSCE Participating States have agreed that they will, at the level of designated national experts, meet at least three times each year, to discuss information exchanged and explore appropriate development of CBMs. The OSCE may serve as a model for other regional organizations. Germany is already engaging with other regional organizations, such as UNASUR and the ARF, supporting their work on enhancing cyber stability. We are looking forward to deepening and widening this engagement. This is also in response to the UN GGE recommendation, in its June 2013 report, to support regional, multilateral and international capacity building efforts to secure ICT use and ICT infrastructures. Conclusion Cyber capabilities have broken the ring-fence of international security. It needs to be mended. While all-out cyber-war seems unlikely at present, the limited use of cyber capabilities as part of a larger warfighting effort is a reality. The United Nations is the right forum to foster a discussion on the norms and principles of responsible state behavior in cyber space, including the use of cyber means during conflict. Agreed international rules, principles and norms will help enhance transparency and predictability. To account for the danger of military crisis developing from cyber incidents, confidence and security building measures are important. Regional organizations, such as the OSCE, can and should play an important role in this regard. 8

In the words of J.R.R. Tolkien: The world is full enough of hurts and mischances without wars to multiply them. When Tolkien wrote these words, he was no thinking of a ring-fence, and certainly not of cyber conflict. But although the writer was thinking of an entirely different ring, his words hold true. 9

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback