In seeking international cyber norms for states, one should be careful about blowing smoke, sometimes it could start a fire.

Cyberspace by its very nature has an international dimension. Without it, there would be no possibility for the Internet to grow and function. In turn, threats that come from cyberspace also require an international response. Especially the threats to the devices used to monitor and control processes in critical infrastructure from state resourced APT’s. Threats that have the potential to disrupt a nation’s economy and threaten the well-being of its society. The need to manage this threat should be self-evident to all and this is where international “norms” or confidence building measures for states to follow in cyberspace come in. In addition to all the efforts by operators of critical infrastructure to insure against the success of cyber-attacks in degrading or destroying their systems, they need the help from the international community as well to keep from becoming isolated targets. Their efforts must also be complimented with the support of their Governments in cooperation with international organizations. It is quite surprising that the most restrictive proposals for addressing this issue that should be a common concern for all civilized countries have not come from the countries one would expect. Instead they have come from a list of countries that are frequently on the “list of usual suspects” when the actions from APT are reported (1). This week proposals for norms that call for states to restrain from directing malicious cyber activities at another states critical infrastructure are under discussion in a meeting of the United Nations Group of Government Experts (2). Instead of supporting sensible initiatives, one cyber superpower is calling instead to “adopt existing cyber rules of the road and confidence building measures rather than developing new ones” (3). This at first also sounds like a sensible proposal if one assumes that such “existing cyber rules” already exist. What are these existing rules? Where are the ones that can apply to these new and dynamic threats from cyberspace written down. Who monitors and informs when there is a violation? Apparently, only a vague sounding proposal to share information about threats and inform of each other’s cybersecurity strategies seems to be the most concrete of the counter proposals to meet the cyber threat to critical systems posed by state supported APT’s. (4) Are these diplomats really working toward addressing a commonly perceived threat or putting up some smoke to mask their national interests? Surely, one does not need an international agreement on norms that include a recommendation to share one’s cybersecurity strategy with a cyber neighbor. This information is available over the Internet without any coercion. Just do a search on the web and you will quickly come up with a selection of national cyber strategies (5). Would suspect that if one diplomat were to ask for a copy of his nation’s cybersecurity strategy that the request would be accepted with pleasure. Sharing information is not the main problem.

Making passive proposals is wholly inadequate to the task when considering the changes in the cyberspace environment in the past 7 years. An environment that is frequently referred to as a military domain (6). Since 2010 it has witnessed the discovery of STUXNET weaponized malware in a nuclear facility, cyber intrusions on the control systems of steel mills and power grids, attacks on the communications equipment of national TV networks, and erasing the disks on the computers of a world class energy company to name just a few of the publically reported incidents.

One may ask why is smoke being blown in our eyes? Why in the case of one cyber superpower has its position on norms reversed itself in just a few years? (7) What is the guiding factor? Can propose that there is correlation between the level of confidence a nation has in its cyber capacity to prevail in a conflict with its national position on norms. The relationship goes this way. The more a state believes in the usefulness of engaging in effective, cheap and deniable malicious cyber activities and most importantly, in its ability to prevail in a conflict, the more likely it will be interested in superficial, non policy restricting norms. Norms that will do nothing to restrict the use of nations’ “Cyber Toys” which it values and likes to play with. On the other hand. Nations that feel that they are in a weaker position in terms of defending against state sponsored APT’s on their critical infrastructure are more likely to be in support of norms that will make such scenarios less likely from happening.

The danger is in the passage of time and the increasing seriousness of cyber incidents and attacks on systems vital to the functioning of modern society. Incidents which get some press attention but do not initiate any collective action by the community of nations. Ukraine’s power grid was cyber attacked in December 2015 causing the operator to lose SCADA. In December 2016 a similar attack occurred again, only this time instead of a region being affected by a power outage it was a nation’s capital. In returning to the question of norms of trust and transparency among nations in an increasingly vulnerable cyberspace who is blowing smoke at who here?

The possible belief by a cyber superpower that supporting superficial norms would maintain its positive public image and its cyber superiority can be a false one. At the start of World War I the French had their “Plan 17” and the Germans had their “Von Schlieffen” plan which on paper proved to each nation that its forces were superior and would prevail over the adversary. Both plans could not be right and the unknowns of the application of new technologies to warfare and the irrational stubbornness in its execution, in spite of reasonable calls for caution, led to unexpected and disastrous results for both sides and for their neighbors (8). Let us hope reason and common interest will prevail in the future deliberations of organizations seeking ways to manage the increasing militarization of cyberspace by states. The operators of our critical infrastructure are considered in some dangerous quarters to be legitimate targets in peacetime. In this potentially dangerous atmosphere, operators cannot insure the safety and security of their systems on their own, serious norms designed to increase confidence among nations must be part of an effort to make systems safer and less vulnerable than they are now. The diplomats still have time to come up with a concrete proposal that would meet the objective of lowering mistrust and increasing confidence. Their failure will likely be passed on to the institutions where the use of force is the only option available in their camouflaged portfolios.

An update: This just came in today February 15th: Microsoft called for state norms at a conference this week. Industry is getting it but the diplomats and the Governments they represent are 5 years behind where they should be. See article just below for more info.

https://www.itnews.com.au/news/microsoft-seeks-rules-of-engagement-for-state-sponsored-attacks-451188?eid=3&edate=20170215&utm_source=20170215_pm&utm_medium=newsletter&utm_campaign=daily_newsletter

References:
1. See Shanghai Cooperation Organisation 2011 letter to U.N., Section II Code of Conduct, Nr. 2. http://www.fmprc.gov.cn/mfa_eng/wjdt_665385/2649_665393/t858323.shtml
2. http://www.nextgov.com/cybersecurity/2017/02/new-international-cyber-rules-likely-table-un-experts-group/135193/?oref=nextgov_cybersecurity
3. Ibid.
4. Ibid.
5. https://ccdcoe.org/strategies-policies.html
6. http://archive.defense.gov/news/newsarticle.aspx?id=61310
7. http://www.nextgov.com/cybersecurity/2017/02/new-international-cyber-rules-likely-table-un-experts-group/135193/?oref=nextgov_cybersecurity
8. Read B. Tuchman’s “Guns of August” about the first month of fighting in WW I.

https://enseccoe.org/en

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 28 years. Mr. Butrimas has participated in several cybersecurity exercises, contributed to various international reports and trade journals, and has published numerous articles on cybersecurity and policy issues.