Ryan Maness, Derek S. Reveron, John Savage, and Alan Cytryn
Introduction
Over the last 30 years the international security environment has been characterized by several security deficits, which are defined as a government’s inability to meet its national security obligations without external support.[1] Intra-state, transnational, and regional actors challenge a sovereign government’s ability to provide a secure environment for their citizens. While evident in countries like Syria and Afghanistan, it is also true in the cyber world.
Transnational organized criminal groups harness the power of the internet to steal identities and conduct financial crimes; terrorist organizations use cyberspace to recruit fighters and promote their destructive deeds; countries employ cyber tools for espionage while laying the groundwork for military operations in cyberspace; and nations worry about disruptions to their critical infrastructure. Cyber challenges like these cut across all dimensions and simultaneously cross into political, economic, and social realms. More than ever, citizens, regardless of nationality, are exposed to risks created by cyber insecurity. Reinforced by intelligence assessments, polling in the United States places cyber insecurity as a leading national security challenge and a pressing concern for citizens and policymakers alike.
Norms are an important response to these threats. Norms provide a guide to state behavior and provide a basis on which to rebuild trust between citizens and governments, to harmonize relations among governments, and to coordinate action against shared cyber threats. If norms are violated by governments, the violation provides ratio decidendi for other countries to take measures to return to the norm.
Characterizing Cyber Threats
Recent actions in cyberspace make it appear as if we are experiencing a dangerous trend towards more sophisticated and dangerous actions in cyberspace that could lead to escalation and eventual international cyber war. Russian interference in U.S. elections, the Sony hack, the Office of Personnel Management (OPM) espionage campaign, the wave of ransomware hacks, and the 2015 Ukrainian power outage affecting 225,000 customers are but a few examples of this phenomenon. Many analysts have framed these violations as representing an era of ever more sophisticated and dangerous cyber conflict.[2] It is becoming accepted that we have entered an era where cyber conflict is tolerated because governments are not responding and cannot respond properly to malicious actions in cyberspace.[3] So far the reality is more benign. We are seeing the rise of nation-state and commercial cyber espionage and crime, but not yet cyber war.
Data collected by Maness, Valeriano, and Jensen on cyber incidents between rival states from 2001 to 2014 finds that 87 of 164 successful cyber incidents (53 percent) could be classified as cyber espionage.[4] These exploits sought information or served to spread disinformation. The greatest proportion of organized cyber exploits are distributed denial of service (DDoS) attacks that are nuisances, with coercive actions like Stuxnet and Shamoon being much rarer.[5] If the data collection were expanded beyond rival states with intense past histories of conflict, the proportion of cyber espionage attacks would be far greater; examples such as a recent hack between Canada and China being the typical example of just what really happens in cyberspace.[6]
Cyber intrusions, while discoverable in principle, often are hidden from the operators of computer networks. The cyber company Mandiant reports that network breaches lasted a median of 205 days amongst their clients and that 69% of network operators learned of breaches from outside parties—such as law enforcement.[7] It should also be noted that cyber espionage occurs between friendly competitors as much as it does with more antagonistic rivals.
If the reality of cyber conflict is more limited than often suggested, we are left with the interesting question of what cyber security issues states should address. An obvious answer is to counter the rise of digital espionage and crime by governments and non-state actors. This approach would enable international cooperation leading to norms of behavior by states investing in substantial cyber capabilities. States must also protect themselves against unlikely, but potentially catastrophic, cyber attacks such as those that could seriously damage their critical infrastructures or their military preparedness.
When thinking about improving security in cyberspace, we should look at how international partners contribute to security in the terrestrial space through cooperative military operations, peacekeeping, international security force assistance, and communication links among rival states. These are important norms to replicate in cyberspace because nations have a common responsibility to guarantee our citizens a minimal level of cybersecurity. Since cyberspace is a reflection of the values of the G7 countries and corporations in these countries dominate the information technology space, G7 countries are well placed to lead the world in establishing cyber norms to improve cybersecurity. As such, the G7 nations must promote the development of social, legal and technological norms and agreements to protect the information and communications infrastructures of the world’s nations and their people.
The Path to Norms
Over the last five years, small groups of governments have formulated international norms of state behavior, particularly for peacetime use. Negotiations have been held at the UN and many other forums. The pace of progress is increasing. For example, in September 2015, the United States and China agreed not to target commercial entities for economic value as a way to slow down intellectual property theft. At the November 2015 G20 summit, governments agreed that nation-state conduct in cyberspace should conform to international law and the UN charter. Additionally, the G20 agreed that no country should conduct or support cyber-enabled intellectual property theft for commercial purposes.
These norms grew out of the work of the UN’s Group of Governmental Experts, which is a set of cyber security experts from a small number of nation-states. The UN group agreed that no country should intentionally damage the critical infrastructure of another state or impair infrastructure that serves the public and would undermine the human rights guaranteed by the UN Declaration. Citing a shared responsibility to promote cybersecurity, the group decided that no country should act to impede the response of Computer Security Incident Response Teams (CSIRTs) to cyber incidents, nor should CSIRTs be used to create cyber incidents. Finally, recognizing a shared insecurity, the UN group noted that countries should cooperate with requests from other nations to investigate cybercrimes and mitigate malicious activity emanating from their territory.
In May 2016, cybersecurity was featured prominently at the G7 summit in Ise-Shima, Japan. The summit’s agenda recognized that cybersecurity is a key component of the global economy and trade, development, and quality infrastructure investment. Participating countries considered norms recommended by the Boston Global Forum (BGF), which is chaired by former Massachusetts Governor Michael Dukakis.[8]
The BGF endorsed private and public efforts to improve ethical Internet behavior following the UCLA Global Citizenship Education Program and the Boston Global Forum’s Ethical Code of Conduct for Cyber Peace and Security.[9]
The G7 Ise-Shima Leaders’ Cyber Norms
Cyber norms endorsed by the G7 leaders in 2016 are shown below.[10]
We strongly support an accessible, open, interoperable, reliable and secure cyberspace as one essential foundation for economic growth and prosperity. This also enhances the common values of the G7, such as freedom, democracy and respect for privacy and human rights.
We will take decisive and robust measures in close cooperation against malicious use of cyberspace, both by states and non-state actors, including terrorists.
We reaffirm that international law is applicable in cyberspace.
We commit to promote a strategic framework of international cyber stability consisting of the applicability of existing international law to state behavior in cyberspace, the promotion of voluntary norms of responsible state behavior during peacetime, and the development and the implementation of practical cyber confidence building measures between states.
In this context, we welcome the report of the UN Group of Governmental Experts in 2015 and call upon all states to be guided by the assessments and recommendations of the report.
We also reaffirm that no country should conduct or knowingly support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors.
We commit to facilitate the free flow of information to ensure openness, transparency and freedom of the Internet, and a fair and equal access to the cyberspace for all actors of digital economy while respecting privacy and data protection, as well as cyber security.
We commit to the protection and promotion of human rights online.
We commit to promote a multi-stakeholder approach to Internet governance which includes full and active participation by governments, the private sector, civil society, the technical community, and international organizations, among others.
We recognize that states have particular responsibilities and roles in the ICT environment, just as elsewhere to promote security, stability and prosperity.
We commit to collaborate to maximize the potential of the digitally connected world, and to address global challenges, bridge digital divides, realize inclusive development, and to achieve progress on the 2030 Agenda.
We endorse the G7 Principles and Actions on Cyber, as set out in the Annex to promote and protect an open, interoperable, reliable and secure cyberspace.
We decide to establish a new G7 working group on cyber to enhance our policy coordination and practical cooperation to promote security and stability in cyberspace.
Imperative for Norms
Given that cyberspace is a civilian space, it is important to engage vendors of cyberspace technology in the discussion of norms for responsible state behavior. Microsoft has begun this effort and has announced six norms designed to increase trust in vendor products and services, encourage countries that develop cyber weapons to design them in such a way as to minimize collateral damage, and to help the private sector “to detect, contain, respond to, and recover from events in cyberspace.”[12] States should take these nascent efforts seriously and engage these firms in norms formulation.
Technology experts must be at the table with policymakers when such policy is formulated, errors are easily made that may lead to poorly formulated international norms or domestic legislation. Thus, it is essential that academic and technology experts be engaged and treated as co-equals with policymakers during this process. This is important given firms can play a large role in global citizenship education to build a sustainable peace and security in cyberspace.[13]
Next Steps
The first step is to develop cyber risk reduction measures. Next, it would be important to assess and improve the cybersecurity of national critical infrastructures. Third, take steps to reduce the number of domestic compromised computers, particularly those that have been marshalled into botnets. Finally, improve domestic cybersecurity through advisory and legislative measures.[14]
In addition to cyber risk reduction measures, the G7 nations should promote the development, identification, sharing and adoption of “best practices” in the cybersecurity area with particular focus on developing countries. Developing countries should make investments to secure their infrastructure, this is essential to security and preventing a widening gap in the capabilities of nations. These investments are essential to reducing costs resulting from cybercrime and espionage and to increasing the confidence and trust of businesses to operate in developing countries.
Developed and developing countries should make investments and undertake cooperation efforts to re-envision methods of education and learning, utilizing the global information and telecommunication infrastructure to enhance the accessibility of suitable educational opportunities for people everywhere. There are no borders in cyberspace, and our networks are only as strong as the weakest access point. By promoting cybersecurity norms, enabling cooperation among G7 countries, and assisting developing countries, we all become more secure from actors that place individuals at the forefront of the cybersecurity threat.
Conclusions
It is clear that nefarious cyber operations are increasing. The most dangerous cyber actions that many warn against have not occurred, even in situations where they are most likely, such as Russia’s conflict against Ukraine in 2014-2015, Syria’s expanding conflict that began in 2011, or NATO’s conflict against Libya in 2011.[15] That the U.S. government has not suffered a major attack that includes death or destruction of physical equipment outside of a few examples suggests that the wider trend in cyber security is of stability and safety—which was invoked in the norms advocated by the G20. Put another way, state actors are currently observing the norm of no peacetime launch of cyber weapons with the potential for physical harm.[16]
The shared cyberinsecurity need not be paralyzing, but can be a basis for international cooperation in which the G7 governments have important roles to play. Behind these developing norms is the accepted international norm of limiting harm to civilians. Even states that are not otherwise fully committed to emerging norms express concern for civilian victims. The off-limits status of critical infrastructure fits this normative construct because the main impact of such an attack would be borne by civilians.
To reinforce a norm of cyber safety, states have to be willing to make investments. Our digital world is insecure because states and corporations have not made a significant effort to reform and reorganize computer security. As the world’s leading liberal democratic states, it is crucial the G7 countries act to secure their portion of cyberspace and help developing nations to do the same.
The authors would like to thank Tuan Ahn Nguyen, Michael Dukakis, Thomas Patterson, and all other members of the Boston Global Forum for their support and coordination of this endeavour.
Ryan Maness will be an assistant professor in the Defense Analysis Department at the Naval Postgraduate School in Monterey, California beginning in August 2017.
Derek S. Reveron is a professor of National Security Affairs and the EMC Informationist Chair at the U.S. Naval War College in Newport, Rhode Island.
John Savage is the An Wang Professor of Computer Science at Brown University in Providence, Rhode Island.
Alan Cytryn is is with Risk Masters International, LLC, a consulting firm that advises clients on Risk Mitigation and Management, including business continuity planning, disaster recovery, and recovery from cyber attacks.
The opinions expressed in this article are the authors' alone and do not reflect those of the U.S. Navy, the Department of Defense, or the U.S. Government.
Have a response or an idea for your own article? Follow the logo below, and you too can contribute to The Bridge:
Enjoy what you just read? Please help spread the word to new readers by sharing it on social media.
Header Image: Glance Internet image of the cyber domain (Glance Internet)
Notes:
[1] Reveron, Derek S. Exporting Security: International Engagement, Security Cooperation, and the Changing Face of the US Military, Second Edition. (Washington, D.C.: Georgetown University Press, 2016).
[2] Ian Bremmer. “These 5 Facts Explain the Threat of Cyberwar.” Time 6/19/15, Accessed 8/12/15, http://time.com/3928086/these-5-facts-explain-the-threat-of-cyber-warfare/
[3] Dunn-Cavelty, Miriam.“The Normalization of Cyber-International Relations“, in: Olive Thränert, Martin Zapfe (eds) Strategic Trends 2015: Key Developments in Global Affairs (CSS 2015): 83.
[4] Maness, Ryan C., Brandon Valeriano, and Benjamin Jensen. 2016. Coding Manual for v1.5 of the Dyadic Cyber Incident and Dispute Dataset, 2000-2014, Available at drryanmaness.wix.com/irprof, 2016.
[5] Maness, Ryan C. and Brandon Valeriano. “The Impact of Cyber Conflict on International Interactions.” Armed Forces and Society 42 (2, 2016): 301-323.
[6] Steven Chase and Colin Freeze. “Chinese hacked government computers, Ottawa says.” The Globe and Mail, 7/29/14, accessed 8/7/15, http://www.theglobeandmail.com/news/national/chinese-hacked-government-computers-ottawa-says/article19818728/
[7] M-Trends 2015: A View from the Front Lines, accessed 6/7/16 at https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
[9] Boston Global Forum. Ethics Code of Conduct for Cyber Peace and Security, December 12, 2015, accessed 3/14/16. http://bostonglobalforum.org/2015/11/the-ethics-code-of-conduct-for-cyber-peace-and-security-eccc-version-1-0/
[10] See G7 Ise-Shima Leaders’ Declaration, accessed 6/7/16 at http://www.mofa.go.jp/files/000160266.pdf. Numbers were added for clarity.
[11] G7 Principles and Actions on Cyber are available at http://www.mofa.go.jp/files/000160279.pdf, accessed 6/7/16.
[12] International Cyber Security Norms: Reducing Conflict in an Internet-Dependent World, Microsoft 2014, accessed 6/7/16 at http://download.microsoft.com/download/7/6/0/7605D861-C57A-4E23-B823-568CFC36FD44/International_Cybersecurity_%20Norms.pdf
[13] NSA Methodology for Adversary Obstruction, August 2015, accessed 6/7/16 at https://www.fveydocs.org/document/methodology-adversary-obstruction/
[14] Les Bloom and John Savage, “On Cyber Peace,” August 8, 2011. http://www.atlanticcouncil.org/publications/issue-briefs/on-cyber-peace
[15] Eric Schmitt and Thom Shanker. “U.S. Debated Cyberwarfare in Attack Plan on Libya.” The New York Times, 10/17/2011, accessed 4/21/2015, http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html
[16] Valeriano, Brandon and Ryan C. Maness. Cyber War versus Cyber Realities: Cyber Conflict in the International System (New York: Oxford University Press, 2015 ).