Carnegie Europe was on the ground at the 2018 Munich Security Conference, offering readers exclusive access to the debates as they unfold and providing insights on today’s most consequential threats to international peace.
*
This year’s Munich Security Conference (MSC) takes place at a pivotal moment for growing debates about international cybersecurity.
Within the past 24 hours, the United Kingdom, the United States, Denmark, and several other countries have publicly blamed the Russian government of being responsible for the NotPetya ransomware attack that occurred in June last year. It is a significant shift that governments are now willing to take this step of publically and jointly accusing another state of launching a cyberattack. It also highlights that discussions about the rules of the road for cyberspace have taken a back seat. The primary focus is now on trying to hold those who launch malicious cyberattacks to account.
An early sign of this development occurred last June, when the main process through which the international community had been discussing the implications of cyber threats to international peace and security collapsed. For the first time since 2005, the UN Group of Governmental Experts (UNGGE)—established with the aim of strengthening the security of global information and telecommunications systems—was unable to come to a consensus. Its failure laid bare conflicting views that had long been simmering below the surface.
First, following the setback in June, experts could not even agree whether the UNGGE process up to that point had been a success or a failure.
One camp argues that the UNGGE has been a success with notable achievements since its first consensus report was released in 2010. That document recognized for the first time that cyber threats can pose a risk to international peace and security. Subsequent reports in 2013 and 2015 affirmed that key frameworks—namely sovereignty, the UN Charter, and international law—apply to cyberspace. The former was of particular importance to Moscow and Beijing; the latter was significant for Western capitals. The 2015 UNGGE report even included a catalogue of voluntary norms, providing an aspirational outline of appropriate state behavior that could eventually become state practice.
Yet critics of the process cast doubt on its impact. Their arguments range from substantive to procedural. For example, they argue that voluntary norms are of little consequence. They highlight that there are no agreed upon definitions of “malicious use” of information and communications technology, “critical infrastructure,” or “proxies.”
The recent announcements by the British, American, and other governments over the NotPetya attack address some of these concerns, particularly those about a lack of consequences and enforcement mechanisms to reinforce political commitments. For now, the UNGGE process is on hold and its continuation or evolution remains uncertain, not least because of disagreements over how to assess its impact to date.
Second, Russia’s interference in the 2016 U.S. elections brought to the fore a conceptual challenge that UN diplomats have been avoiding ever since the first resolution on information security was introduced in the General Assembly in the late 1990s. And here’s the essential difference between Moscow and Beijing on the one hand and the West on the other.
Moscow and Beijing use the broad concept of “information security,” combining the technical aspect of hacking with control of information.
Western capitals have adopted the term “cybersecurity” in juxtaposition to highlight that they consider content not to be a cybersecurity concern but a human rights issue. The workaround in UN parlance has been to speak of the “malicious use of information and communications technologies” without defining what “malicious” means.
Importantly, beyond the wordsmithing of diplomats, this Western view of “cybersecurity” is also reflected in the evolution of thinking in Western militaries.
The U.S. military, for example, decided to split “information operations” from “cyber operations” both conceptually and institutionally in the late 1990s and early 2000s. Given Moscow’s combination of information operations—by using social media accounts and cyber operations, for example, to hack the Democratic National Committee and to influence the U.S. elections—Washington is still debating how to adequately respond, and whether it ought to revisit its view on “cybersecurity.”
Third, it is clear that world powers are currently moving farther apart rather than closer together. There are Moscow’s aggressive actions in Ukraine and its election interference; Washington’s growing inward-focus and retreat from the diplomatic world stage; and Beijing’s attempts to fill the vacuum. These shifts raise as many eyebrows as welcoming arms.
Meanwhile, the WannaCry attack that hit systems worldwide in 2017 was the first time that a malware put people’s lives at risk when hospitals in the United Kingdom were forced to turn patients away because their computer systems were no longer working.
And the economic damage of the NotPetya ransomware cost two companies—the pharmaceutical company Merck and the logistics giant Maersk— $300 million each last year alone, with the overall cost possibly in the billions. There is certainly enough blame to go around, from those who launched the malware to those who built it to those who neglected to follow basic security procedures.
But the blame game does not answer the question: What is the international community going to do to collectively and effectively address the growing risk of cyberattacks on a time horizon that keeps pace with the evolving threat landscape?
The worst-case scenario is that a major cyber incident will force collective action. A preferable outcome would be more substantial progress by the international community to avoid such an event.
With some governments now taking steps to impose greater consequences against those crossing certain lines, it will be important to pursue global cooperation in areas of common interest—perhaps starting with a more narrowly defined focus, such as Carnegie’s proposal for an international commitment to protect financial stability against cyber threats.
One thing is certain: amidst all of this uncertainty for the UNGGE and the world at large, there will be more questions raised than answers found at this year’s MSC.
Tim Maurer is Co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace and author of Cyber Mercenaries: The State, Hackers, and Power, published by Cambridge University Press in January 2018.
Comments(1)
There is the paradox that engines meant to spread knowledge and create a better world always had unintended consequences. The printing press, religious wars; the train and telegraph spread the 1848 ideas, and made 1914 the war of the peoples (and that is just in Europe). The Internet follows along the same beaten path. It is almost incomprehensible that the Internet born in fear of nuclear war, might be the space where one is ignited. Moreover, the ubiquitous cell phone allowed quasi instantaneous access to information, eliciting immediate reaction. Worse, it is the first time in the history of warfare that an adversary gets free access to a redundant, encrypted global communication network, as the Silicon Valley global advertisers operate unimpeded. The same advertisers will host almost anything on their server farms, provided that there is revenue. It is known that previous campaigns have used Facebook and big data analysis to get an upper hand, so the electorate was already aware that they could be manipulated in this new media. Instead of wasting time on social media looking for political advice, the written press would have been a far better source, including on line. CFR, Carnegie, Rand, FA, BBC, Der Spiegel, L’Express, diverse, solid information sources. If the election was shifted by a troll factory, with a minimal budget, that is a big question mark on our collective ability to make educated political choices. In this new world, “Lose lips sink ships!” has been upgraded by “Lose clicks could …”, including trigger the last war. However, if Volkswagen had to pay billions for emissions, why can’t we get those who can’t design software without holes in it pay the same level of fines? It is time for the governments to regulate software, including outsourcing, the way they regulate other critical industries. In this new world the government has the duty to create virtual frontiers, protect citizens against troll factories and Nigerian princes, long overdue. The alternative is simple: “The worst-case scenario is that a major cyber incident will force collective action. With some governments now taking steps to impose greater consequences against those crossing certain lines…” One day, after a massive blackout, a submarine commander may receive the order to launch a retaliatory strike, one the new low yield nuclear weapons. The other side will probably follow the launch on warning protocol. Eons later, finally, an intelligent species could repopulate the planet.
Comment Policy
Comments that include profanity, personal attacks, or other inappropriate material will be removed. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, steps will be taken to block users who violate any of the posting standards, terms of use, privacy policies, or any other policies governing this site. You are fully responsible for the content that you post.