The Dynamics of International Cyber Conflict

 

The Boston Global ForumEthics on the Code of Conduct in Cyberspace

Ryan C. Maness, PhDNortheastern University

September 23, 2016

Cyberwar?

• Recent actions in cyberspace make it appear as if we are experiencing a dangerous breakout trend

• Many analysts have framed these violations a representing an era of ever more sophisticated and dangerous cyber conflict

• The reality is more banal

Deterrence is an antiquated strategy

• There can never be a form of deterrence in the cyber world because these incidents can be anonymous and quickly destructive, preventing deterrence considerations from operating

• A system of deterrence is unrealistic in cyber operations because credibility is lacking (willpower, secrecy of tactic) and actors cannot retaliate due to the uncontrollable nature of the weapon.

• Cyber maneuvers to demonstrate resolve and credibility are also limited because of the potential of displayed capabilities to be replicated back on the originator, and the high likelihood of collateral damage.

There is restraint by states

• States have been restrained from using cyber weaponry because:

• 1) the reproducibility of the tactic• 2) cyber weapons are not simple to design• 3) deception present in both the offensive and defensive

domains • 4) the chances of collateral damage• 5) the high potential for diffusion of the conflict by dragging in

third parties through alliances or friendship bonds• 6) blowback since cyber weapons used to great effect will

demand repercussions

Cyber is a battle of information

• We are seeing the rise of cyber espionage and crime, not cyber war

• If the day to day danger are these constant attempts to steal or manipulate information, and not use overt cyber weaponry, how do we structure a code of ethics?

• An obvious answer is to counter the rise of digital espionage and crime, by government and non-state actors by establishing norms of behavior

Cyber is a battle of information

• The reality of cyber espionage and crime suggests an urgent need for more rules in cyberspace. One goal should be to rethink how we store critical information.

• The need for basic cyber hygiene is amply illustrated by Chinese espionage with OPM, the Russian information hacks of the DNC and DNCC, and the probable non-state initiated Yahoo hack

• SCACA hacks such as Stuxnet, Ukrainian power grid hack are exceptions not the rule

The development of norms• Some strides have been made in norm creation• Behind these developing norms is the accepted

international norm of limiting harm to civilians. • The off-limits status of critical infrastructure fits this

normative construct because the main impact of such an attack would be borne by civilians

• Liberal democracies need to find common ground with the large authoritarian cyber powers, China and Russia – Critical infrastructure, intellectual property theft– Current problems: cyber proxies and plausible deniability

Clean up our house first, and fast

• To reinforce a norm of cyber safety, states have to be willing to make investments

• We need: – more cyber hygiene (internal training on how to

deal with potential threats) – a reformulation of the critical infrastructure that

runs important systems, and – greater cooperation between the public and

private sectors.

Attribution not just technical

• Russia and China are able to deny responsibility because of the plausible deniability of the connections to their governments and proxies (Fancy Bear, Cozy Bear, Guccifer 2.0, PLA groups, etc.)

• Need to name and shame in a political context • Diplomacy in curbing cyber action before

escalation and retaliation

Proposed action plans

• Cooperate with the UNESCO-UCLA Chair in Global Learning and Global Citizenship Education deploy a application for practicing the Ethics code of Conduct for Cyber Peace and Security ( ECCC ).

• Build up a Cybersecurity Center in Nha Trang, Vietnam to support for cybersecurity in Southeast Asia as a pilot project in supporting developing countries in their cybersecurity challenges.

Proposed action plans

• Move discourse away from war – The war discourse inflates the threats in this

domain and distracts from critical problems• Promote cyber hygiene • Regulate Industry – There is no regulation as to the claims these

industries make– Cyber security firms must be clear about their

abilities and promises just as any industry must be