Community Talks on Cyber Diplomacy (#3)

Anastasiya Kazakova, Public Affairs Manager

Continuing with the limited series of Community Talks, we organized the third edition to discuss mechanisms for conflict resolution and conflict prevention with the following experts:

• Sirine Hijal, Deputy Cyber Foreign Policy Coordinator, Global Affairs Canada, Government of Canada (@Sirinaserena);
• Max Smeets, Senior Researcher, Center for Security Studies (CSS), ETH Zurich, co-founder and director of the European Cyber Conflict Research Initiative (ECCRI.eu) (@Maxwsmeets);
• Kurt Baumgartner, Principal Security Researcher, Global Research & Analysis Team (GReAT), Kaspersky (@k_sec); and
• Camino Kavanagh, Visiting Senior Fellow, Department of War Studies, King’s College London and non-Resident Scholar, Carnegie Endowment for International Peace (@caminokav), as discussant – a special role to challenge the discussion of three panelists and provide a third-party opinion from a policy researcher perspective.

Each time we discuss three simple questions, and for Community Talk #3 they were follows:

1. What good practices/mechanisms already exist for preventing and resolving conflicts stemming from the use of ICTs/cyberspace?
2. Where have we failed or still are failing: what do we as a global community not have yet for conflict resolution and conflict prevention in cyberspace?
3. What are the priorities for the global community in 2021 in this regard?

Sirine started by emphasizing that most, if not all states are active in cyberspace. This is where geostrategic competition is happening. What matters is what constitutes acceptable or inacceptable behaviour by states in cyberspace. Another level of complexity is that a lot of malicious cyber activity is happening below the threshold of the use of force under international law, that there is a blurring of lines between virtual and physical conflict and a belief by malicious actors that they can act with impunity.

On the positive side, cyberspace is not the Wild West. There is an internationally agreed framework for responsible state behaviour in cyber space, consisting of international law, norms of responsible behaviour, confidence building measures and capacity building. This is, particularly, a key matter for the intergovernmental process in the First Committee of the UN where Sirine leads the Canadian delegation and represents Canada.

Max gave three game metaphors in approaching a definitions of cyber conflict – he sees cyber conflict as a game of poker (signaling game); as a game of chess (advancing without attacking); or as a game of Go (structurally changing the environment to your advantage). Max added that the first type of conflict is the most public one and this is the field where we might have seen already some policy efforts. For instance, the EU Cyber Diplomacy Toolbox is a set of signaling measures of what is acceptable and what is not. The second and third types of cyber conflict are the most important ones, and the U.S. Cyber Command’s strategy of persistent engagement is an example that takes the direction of the second type, where the goal is not deterrence, but limiting an opponent’s opportunity to act. However, these types requires effort and this is an area where joint strategic efforts between Europe and the U.S. are especially needed.

To this, Kurt added that when we discuss ‘cyber conflict’, we should keep in mind that this usually happens not in an exclusive domain, in a vacuum, and additionally he agreed with the game metaphors by adding that identifying the root cause of cyber conflict often results in a separate discussion of geopolitical games rooted in the various motivations and interests of nations. Sharing also a perspective from cybersecurity research, Kurt said that we have seen large operations, but all of this activity can exhibit marks of espionage, theft on a massive scale, and both destruction and disruption. To be better prepared for conflict resolution and settlement, we need national points of contacts (PoCs) for reporting incident-related data so non-state actors know whom to contact and with whom to cooperate, and ideally these PoCs should be neutral from geostrategic competition/geopolitics to act as firefighters in the event of a significant cyber incident. Cybersecurity researchers, the technical community, and relevant government bodies need to have secure channels of communication, and clear paths to resolution and stability where, again, they can remain neutral as much as possible.

Where are we failing: what we as a global community don’t have yet for conflict resolution and conflict prevention

Kurt already touched on the gaps and shared examples from his professional experience: in the past, when reaching out to CERTs you generally were met with silence, or they provided notifications for specific devices calling back to a sinkhole, but received no acknowledgement of the notifications; however, often these very specific devices stopped communicating with the sinkholes within 48 hours. Reaching out further and requesting malicious code sharing in order to assist with analysis resulted in silence on the wire as well within 24 hours. Was there more out there to clean up? What happened? There was no data exchanged to further the investigation from the CERTs and the recipient side. We’ll probably never know. It’s critical that CERTs/CSIRTs can work with non-State actors to gather incident-related information and respond to incidents without interference/pressure to inform political attribution decisions.

To that, Sirine noted that we still don’t have an agreement among states on the way forward in the normative and legal space. There are also challenges in implementing the existing non-binding norms for responsible state behavior because of different levels of capacities among states and a lack of knowledge about norm implementation. Other states are not respecting their undertakings in this regard. This can sometimes lead to a lack of accountability, i.e., holding malicious actors to account for malicious ICT activities.

In this regard, Camino highlighted that,

“we need to deepen our understanding of how cyber operations figure in armed conflicts, including support or services provided by third parties; how international law, norms and other relevant measures can offer a framework for considering such operations in peace negotiations or settlements; and the range of private actors – technology companies included – with direct or indirect responsibilities in a particular conflict and the degree of responsibility and legitimacy they have in contributing to preventing or resolving a conflict”.

One of the challenges in building accountability in cyberspace is lack of transparency and attribution, as it was correctly highlighted through questions from the audience. Particularly, Paul Meyer, former Canadian Ambassador for Disarmament and currently a Senior Fellow with The Simons Foundation and a Fellow in International Security at Simon Fraser University in Vancouver, asked how we can assess whether state cyber operations are responsible or not if these operations are conducted covertly. There is transparency in conventional military activity that enables holding states to account; however, this is lacking in militarized cyber activity. Tyson Johnson, Chief Executive Officer, CyberNB CIPnet, asked where we as the global community go with attribution so there is a way to identify ‘ownership’ and help ensure we know who the bad actors are. Otherwise, the ability to play poker, chess or Go is limited, as we do not know who we are really playing with. In this regard, the lack of sharing and exchange of technical data is one of the biggest failures in improving defense capabilities and for achieving attribution.

To this, Kurt agreed that in a number of instances, the ability for nation states to cooperate among themselves and with non-state actors is too difficult. Harmonizing legal frameworks for mutual legal assistance at the national, regional, and international levels to combat cybercrime and targeted attacks is crucial. We need a shift towards defending better, and on the other hand, we rely on law enforcement to prosecute these criminals. We also need a true coalition to build capacity and to see enforcements of agreements, increased technological cooperation across governments.

Before you go…

Before you go, please check the following useful resources shared at the Talk:

• The European Cyber Conflict Research Initiative (ECCRI) and ‘The Big Cyber Ideas Festival’ (@BigCyberIdeas)
• Canada’s implementation of the 2015 GGE norms and updated norms guidance text
• Canada’s commissioned research on gender and cyber (authored by Allison Pytlak and Deborah Brown)
• Brief on ‘Digital technologies and civil conflicts’ by Camino Kavanagh
• Investigative security reports by Kurt Baumgartner at Securelist.com