Establishing International Cyber Norms

Jeoffrey Houvenaeghel

U.S. Navy Cyber Defense Operations Command

U.S. Navy Cyber Defense Operations Command – Mass Communications Specialist 1st Class Corey Lewis , U.S. Navy via Wikimedia Commons

“I repeat that spying among friends is not at all acceptable against anyone, and that goes for every citizen in Germany.”

Angela Merkel

A statement that has resonated with me since the public disclosure on PRISM. Earlier this year, Bundesnachrichtendienst (German Foreign Intelligence) has been accused of spying on its allies most notably the French President as well as the EU institutions, demonstrating the hypocrisy but more pragmatically demonstrating the highly-complex rapidly evolving interconnected environment that states function in. Analysing policy-makers’ statements in the media there is a coherent lack of understanding on the political level on the implications of a cyber-attack as well as revealing the myriad of policy interpretations on cyber offense. These diverse political interpretations develop long-term challenges in international policy-making especially as it significantly tests military alliances seen in PRISM and Operation Socialist. With more nations developing cyber offensive capabilities, it is urgent, to actively engage into constructive dialogue concerning the possibility to develop international recognised norms that would resonate with the international community or at least at a supranational level. In order to achieve some sort of cyber governance allowing to minimise malicious surveillance programs targeting allies but this will require an unprecedented level of international cooperation.

Developing an international accepted normative cyber behaviour in the context of international relations seems to be an absolute impossible task. One of the main challenges is diverging national cyber doctrines and strategies that have a profound effect on international cooperation especially in attempting to find a compromise between national and international priorities. It has been expressed at a recent conference that both Finnish Ministry of Defence and U.S. Cyber Command interpret that if a significant cyber-attack would take place then it could respond with a kinetic military response. There are several key questions surrounding this statement regarding the extent of the attack and would a kinetic response actually truly happen especially from smaller nations with less hard power. Operation Socialist is a clear example, how one EU member state has used a cyber-attack on another. If one would follow the Finnish and US Cyber Command viewpoint then a kinetic response could be considered but this is absolutely impossible especially as the victim is a smaller member state. An inquiry has been started and Sophia in ’t Veld discussed that there should be sanctions but even sanctions in the context of an EU level seems to be highly disproportionate to the damages caused. At one point it can be discussed that certain policy-makers have underestimated the sui generis nature of the threat demonstrating a lack of understanding. There is a demonstrable knowledge gap especially when you envisage cyberspace. Consider a state cyber attacking another nation but the attack goes through a third party (IT infrastructure). Would the third-party be liable for the attack or be perceived as a victim?

The key point is that many policy-makers truly have no coherent idea on the cyber capabilities of adversaries as well as their own allies. There is literally a fog of war, allowing nations to interpret threats based on their own experiences and understanding of the situation. This fragments international cooperation and would makes it even harder to reach a common shared vision with substantive norms. A quintessential example is Chinese cyber warfare doctrine which has rapidly developed over the past decades taking significant large leaps forward to gain an advantage over potential adversaries. It has successfully acquired highly sensitive information on the Lockheed Martin F-35 Lightning II in 2007. Additionally, Chinese cyber-attacks are so incredible difficult to understand as the coding is in Chinese providing another layer of cryptography. Policy-makers need to make the first step in understanding potential adversaries and knowledge of the cyber environment.

In order to create internationally accepted norms one needs to understand both Western and Non-Western approaches especially on the challenge when a nation’s cyber doctrine is more mature than another. The first step for any dialogue would be having a common definition on what actually constitutes a norm. Trust is a key driver within this phase especially as it requires a broader approach including civil society. But if trust is regularly compromised through cyber offensive operations it becomes increasingly difficult to establish norms.

It is important to understand cyber offensive operations especially as spying has always existed before and will always exist in the present and the future. This sort of cyber espionage is based on new ever-increasing available tools, as new technologies are integrated in our daily lives then it is evident that there are opportunities for parties to exploit new vulnerabilities. Reflecting on arguments on cyber espionage, there is clearly a need for data mining to collect large amounts of data to verify information. Of course, data mining has its flaws especially as it is prone to analysis paralysis. A term to describe the unmanageable nature of large data sets. One needs to consider that cyber is still relatively a young field and importantly understand the multiple perspectives. Cyber offers an immense resource for government and military organisations to gain access to an unprecedented source of information that is too enticing not to use. There have been mistakes and there will be more.

But what is far more important is that there needs to be more dialogue on the subject with more substantive arguments disregarding the constant repetitive discussions on international cooperation from a general high-level perspective such as general statements as ‘collaboration.’ But without any substantive arguments to further build on what collaboration actually means. It is also important to understand that the national cyber doctrine has to be far more mature in the context of public and private partnerships with the military. If a nation can achieve a comprehensive national cyber strategy that includes private, government and military organisations working hand in hand then it is one step further to take these partnerships to a multinational level allowing for existing norms to be adapted internationally.

Leave a Reply

Your email address will not be published. Required fields are marked *