The 8 vital questions we need to address about international cybersecurity

This article is part of the World Economic Forum's Geostrategy platform

Cyber space is the realm of computer networks in which information is stored, shared, and communicated online. We use ‘the Internet’ as shorthand, but the term ‘cyber space’ also encompasses the people using the computers and the ways in which this new connectivity has altered society. It is a man-made, virtual world where new generations increasingly live out their lives – it is how they learn, play, shop, bank, develop friendships, and date. Cyber space started as merely a means of communication, spread into e-commerce and is now integral to the ‘critical national infrastructure’ of states – agriculture, food distribution, banking, health-care, transport, water and energy.

Although predominantly a virtual domain, cyber space has a significant physical underpinning – the computers that store data and the systems and infrastructure that allow that data to flow. This includes ‘the Internet’ of networked computers, closed intranets (your internal departmental or company network), cellular technologies, fibre-optic cables and communications satellites. This physical dimension busts the myth that cyber space is entirely stateless – the physical infrastructure and the humans using it are tied to geography, and cyber space is thus subject to notions like sovereignty, nationality and property. Its integration with all facets of personal and national life equally busts the myth that cyber space is purely a technical phenomenon that can be left to the technicians.

Reflecting its origins, contemporary governance of the Internet is dominated by a multistakeholder approach. It emphasises trust, open-mindedness and consensus, with cyber space considered incompatible with traditional international governance models. This model is now contested both by those states arguing that existing international law and governance can and should apply to cyber space, and by those states wishing to create new international governance and law to establish greater state ‘sovereignty’ over cyber space.

In parallel, states and non-state actors, including individuals acting alone, have seized the opportunity to intervene in the code and infrastructure used in cyber space to mount cyber operations to create a physical or cognitive effect.

The threat and opportunity of cyber operations

We have seen cyber criminals defrauding our national economies of large sums. We have argued about the methodology used to calculate the loss – but it is always a high number, somewhere in the region of 1-2% of GDP. This includes criminals impersonating governments online (to steal data or funds from tax returns, for example) or banks or other elements of the private sector.

Such impersonation threatens the trust our citizens place in their online interactions with governments, financial services, and the like, and so threatens the success of our increasingly digital-dependent economies. There is a nexus between some of these cybercrime groups and various states.

States have used cyber means to kick-start their own economic development by plundering the intellectual property and national innovation of other states. The bilateral cyber agreement between the US and China was an attempt to curb such commercial espionage.

We have seen state-sponsored hackers using cyber operations to try to siphon money from the global banking system, for example to circumvent sanctions. As with other cyber operations, we have seen the initiating party lose control of its code, resulting in widespread infection of unintended targets (such as with the Wannacry infection of the UK’s National Health Service).

We have seen well-publicised hack and leak and wider cyber disinformation operations targeting national elections and political parties. These can potentially undermine democratic processes and bring down governments, and generally undermine trust in the data and information governments and societies rely upon for daily operation.

Critical infrastructure

We also see states using cyber operations to threaten the critical national infrastructures (CNI) of nations around the world: their financial institutions, oil industries, nuclear-power plants, power grids and communications routers. In at least one case, we have seen states use cyber operations to impede another state’s capacity to produce nuclear-weapons material.

The Iranian cyber operations against Saudi Aramco provide a good example of a state’s threatening another state’s CNI within its own region. Yet cyber operations allow states to impose their will on adversaries beyond their immediate physical region. For example, Iranian cyber operations have penetrated parts of the CNI of Western states. This ‘asymmetric’ dimension makes cyber operations attractive to regional powers whose other levers of national statecraft are weaker than those of a superpower.

All of this has made nations consider carefully the cyber vulnerabilities in their CNI, especially their vital energy supply, financial services and core telecommunications. States have realised that exploitation of these vulnerabilities, whether deliberate or accidental, could cause widespread damage and panic.

Overall, there have been more than 200 acts popularly portrayed as state-on-state ‘cyber attacks’. Yet the word ‘attack’ poses a definitional problem. Most of these cyber operations have combined espionage, media influence, economic coercion and political intervention, deliberately calibrated below the legal threshold for an act of aggression that would justify an armed response, and therefore fall in the grey zone between peace and war. This ambiguity is enshrined in the doctrine of the main perpetrators. Why risk combat, when you can achieve strategic advantage by operating in the grey zone?

More positively, states have seized the opportunity to use cyber operations against the worst non-state actors, for example to combat international terrorists (notably the Islamic State, or ISIS) and to thwart major cyber criminality. Generally, those states with appreciable cyber capabilities are incorporating them into their military doctrines, plans and national security strategies, and appear to be expanding their investment in such capabilities and increasing the tempo of their cyber-related activities. As part of this, some states are also developing cyber capabilities for military use before and during con€ ict: cyber ‘weapons’ that, as part of a military campaign, can disrupt an adversary’s energy supply, transport and logistics, or conventional (or even nuclear) weapons systems.

The growth of cybersecurity

The growing appreciation of the threat from cyber operations has produced increased investment by governments and the private sector in protecting and defending networks, data and information. This is ‘cyber security’: the technical and human means to detect, diagnose, stop and deter unwanted cyber operations. Technical means include the automatic monitoring of networks to detect intrusions, based on up-to-date intelligence on the technical nature, modus operandi and intent of any potential ‘attack’. Anti-virus software can be used to block low-level attacks on individual devices and networks, for example. Some states are exploring more ‘active’ measures across their wider national networks, to move beyond merely detection and blocking to automatically disrupting and eliminating ‘attacks’.

Human means range from the sensible application of basic policies (like password settings and patching) to public attribution, démarches, and escalation (such escalation does not have to adopt cyber methods, but could for example be economic sanctions). The broad strategic objective is to deter a cyber adversary by demonstrating the strength of a nation’s defences and thus significantly altering that adversary’s cost/benefit calculation: deterrence by denial.

The view commonly held by the cyber security community, however, is that good defensive measures can stop or deter roughly 90% of ‘attacks’, but not all of them.3 The most sophisticated attacks, those prioritised and resourced by a highly cyber-capable state, can still get through. One result is that the conversation has evolved from attempting to secure everything fully to mitigating the risks of a successful ‘attack’, with an effort across the private and public sectors to establish effective plans for measures variously labelled as ‘disaster recovery’, ‘digital resilience’ and ‘business continuity’. Yet equally important is the effort to understand the true nature of cyber power and how dangerous it might be: to test whether we need different forms of deterrence, new norms of behaviour, arms control-like agreements and verification, and new methods of controlling the proliferation of cyber capabilities. Otherwise, we are simply resigned to living through an ever-escalating and increasingly expensive arms race between offence and defence.

The complications of assessing state cyber power

Without attempting to be exhaustive, here are three factors that complicate the task of assessing the true nature of a state’s cyber power.

Firstly, a nation’s offensive (including military) cyber capabilities are largely undeclared, and most often designed to create confusion without detection, rather than obvious and attributable destruction. This is where the common analogy with nuclear deterrence starts to break down. Until states are more open about offensive capabilities or we conceive of these new capabilities in new ways, establishing an effective deterrence framework for cyber will be challenging. Today, however, the rapid speed of cyber technical development and innovation persuades the most capable states that they can develop and maintain an offensive advantage, providing little incentive for them to be more open.

Secondly, some states outsource their cyber operations to non-state actors (or proxies). These include patriotic hackers, hacktivists, cyber militias, and cyber criminals. It is hard to distinguish when those non-state actors are acting for themselves or for a state. Equally, states without an indigenous cyber capability can acquire it from non-state actors, or simply from the wild of the internet. Again, analogies with nuclear break down: the use of a sophisticated cyber ‘weapon’ effectively makes its design specification and modus operandi public and ripe for copying, as occurred with Stuxnet.

Thirdly, the hardware and software of a state’s cyber capabilities are shared between its government, its private sector, and its citizens. The infrastructure is often provided, or owned, by the companies of another state, normally the US but with China’s market share increasing. A complicated interweaving of the public with private, the civilian with military, and the virtual with physical, makes cyber operational capability difficult to isolate and quantify.

The difficulties inherent in any quantitative or qualitative measurement of state cyber capability in turn complicate how any monitoring regime might work in an international arms control-like agreement. Warships in the Antarctic can easily be detected, yet a piece of code inserted into a power plant is hard to detect and, even if detected, is hard to attribute definitively to an originator or an intent.

What to do?

We need a more active international participation in the debate about the true nature of cyber power, as occurred with nuclear power 60 years ago. The questions we might ask are:

We need to consider all of this with a proper understanding of rapidly-approaching technology: the ‘Internet of Things’ (including smart cities), artificial intelligence (AI) and quantum computing. Specifically, we need to factor into our understanding of a cyber arms race the advent of cyber operations enabled by AI and quantum computing: code that can learn to adapt to defensive measures and can deal with complexity beyond our current imagining. We need to account for the likely future shape of cyber space itself, and how ownership of its underpinning infrastructure might change from being predominantly US to predominantly Chinese and, looking further ahead, perhaps Indian.

If we do not do all of this – get to grips with what cyber power really is and establish the right controls – a worst-case scenario might see even nuclear stability jeopardised. A combination of cyber and artificial intelligence has the potential to alter long-established deterrence norms, with states potentially unable to trust the integrity of both their Indications and Warning (I&W) information and their command chains. That would be the extreme version of what we already see today: that cyber operations have helped to erode trust in the online economy and in national democratic processes. This realisation is surely incentive enough for us to try to understand properly the implications of our century’s cyber revolution.

Cyber instruments and international security, Marcus Willett, the International Institute for Strategic Studies