Carnegie Europe was on the ground at the 2018 Munich Security Conference, offering readers exclusive access to the debates as they unfold and providing insights on today’s most consequential threats to international peace.

*

This year’s Munich Security Conference (MSC) takes place at a pivotal moment for growing debates about international cybersecurity.

Within the past 24 hours, the United Kingdom, the United States, Denmark, and several other countries have publicly blamed the Russian government of being responsible for the NotPetya ransomware attack that occurred in June last year. It is a significant shift that governments are now willing to take this step of publically and jointly accusing another state of launching a cyberattack. It also highlights that discussions about the rules of the road for cyberspace have taken a back seat. The primary focus is now on trying to hold those who launch malicious cyberattacks to account. 

An early sign of this development occurred last June, when the main process through which the international community had been discussing the implications of cyber threats to international peace and security collapsed. For the first time since 2005, the UN Group of Governmental Experts (UNGGE)—established with the aim of strengthening the security of global information and telecommunications systems—was unable to come to a consensus. Its failure laid bare conflicting views that had long been simmering below the surface.

First, following the setback in June, experts could not even agree whether the UNGGE process up to that point had been a success or a failure.

One camp argues that the UNGGE has been a success with notable achievements since its first consensus report was released in 2010. That document recognized for the first time that cyber threats can pose a risk to international peace and security. Subsequent reports in 2013 and 2015 affirmed that key frameworks—namely sovereignty, the UN Charter, and international law—apply to cyberspace. The former was of particular importance to Moscow and Beijing; the latter was significant for Western capitals. The 2015 UNGGE report even included a catalogue of voluntary norms, providing an aspirational outline of appropriate state behavior that could eventually become state practice.

Yet critics of the process cast doubt on its impact. Their arguments range from substantive to procedural. For example, they argue that voluntary norms are of little consequence. They highlight that there are no agreed upon definitions of “malicious use” of information and communications technology, “critical infrastructure,” or “proxies.”

The recent announcements by the British, American, and other governments over the NotPetya attack address some of these concerns, particularly those about a lack of consequences and enforcement mechanisms to reinforce political commitments. For now, the UNGGE process is on hold and its continuation or evolution remains uncertain, not least because of disagreements over how to assess its impact to date.

Second, Russia’s interference in the 2016 U.S. elections brought to the fore a conceptual challenge that UN diplomats have been avoiding ever since the first resolution on information security was introduced in the General Assembly in the late 1990s. And here’s the essential difference between Moscow and Beijing on the one hand and the West on the other.

Moscow and Beijing use the broad concept of “information security,” combining the technical aspect of hacking with control of information.

Western capitals have adopted the term “cybersecurity” in juxtaposition to highlight that they consider content not to be a cybersecurity concern but a human rights issue. The workaround in UN parlance has been to speak of the “malicious use of information and communications technologies” without defining what “malicious” means.

Importantly, beyond the wordsmithing of diplomats, this Western view of “cybersecurity” is also reflected in the evolution of thinking in Western militaries.

The U.S. military, for example, decided to split “information operations” from “cyber operations” both conceptually and institutionally in the late 1990s and early 2000s. Given Moscow’s combination of information operations—by using social media accounts and cyber operations, for example, to hack the Democratic National Committee and to influence the U.S. elections—Washington is still debating how to adequately respond, and whether it ought to revisit its view on “cybersecurity.”

Third, it is clear that world powers are currently moving farther apart rather than closer together. There are Moscow’s aggressive actions in Ukraine and its election interference; Washington’s growing inward-focus and retreat from the diplomatic world stage; and Beijing’s attempts to fill the vacuum. These shifts raise as many eyebrows as welcoming arms.

Meanwhile, the WannaCry attack that hit systems worldwide in 2017 was the first time that a malware put people’s lives at risk when hospitals in the United Kingdom were forced to turn patients away because their computer systems were no longer working.

And the economic damage of the NotPetya ransomware cost two companies—the pharmaceutical company Merck and the logistics giant Maersk— $300 million each last year alone, with the overall cost possibly in the billions. There is certainly enough blame to go around, from those who launched the malware to those who built it to those who neglected to follow basic security procedures.

But the blame game does not answer the question: What is the international community going to do to collectively and effectively address the growing risk of cyberattacks on a time horizon that keeps pace with the evolving threat landscape?  

The worst-case scenario is that a major cyber incident will force collective action. A preferable outcome would be more substantial progress by the international community to avoid such an event.

With some governments now taking steps to impose greater consequences against those crossing certain lines, it will be important to pursue global cooperation in areas of common interest—perhaps starting with a more narrowly defined focus, such as Carnegie’s proposal for an international commitment to protect financial stability against cyber threats.

One thing is certain: amidst all of this uncertainty for the UNGGE and the world at large, there will be more questions raised than answers found at this year’s MSC.  

 

Tim Maurer is Co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace and author of Cyber Mercenaries: The State, Hackers, and Power, published by Cambridge University Press in January 2018.