An Article by Sam Storr – original post found in our archive
Cyber-security is an issue that is being pushed to the forefront of international debate by both private industry and national defence departments, joining terrorism as the fifth priority risk identified by the UK’s National Security Strategy of October 2010.
Several recent events suggest the response to cyber-security lags far behind current realities. Hacker collectives spent 2011 gleefully demonstrating the incompetence of those entrusted with our security and information. Distributed denial of service (DDoS) campaigns targeting Estonian and Georgian communications show that cyber-space is now on the battle-map. The Stuxnet worm, targeting the Iranian uranium enrichment programme, shows that states are already using the internet to engage in industrial sabotage. Meanwhile, legal scholars complain that there is little understanding of what terms such as cyber-warfare actually mean.
The Obama administration’s estimate that the global economy loses $1 trillion to cyber-crime annually is widely quoted, but the basis for this is unclear (the World Bank puts global GDP at just $63 trillion in 2010).Behind the hysteria of political statistics, the best measure of the danger is our vulnerability. As an economy dependent on financial transactions and intellectual property, increasingly integrating critical infrastructure and state services with the internet, the UK is especially at risk. With so many careers (and profits) being made on the back of hasty digitisation programmes, nobody wants to suffer the first major embarrassment. This explains why the new Cyber Security Operations Centre (CSOC) warns a successful cyber attack would cause a “catastrophic” failure of confidence in the government. Conversely, cyber-safety could become a valuable commodity, making the UK an attractive place to do business.
Threats to cyber-security can come rapidly and from anywhere, are difficult to trace and can be quickly covered up. Beyond physical constraints, they can theoretically be carried out by anyone, against anyone, and have complex, wide-ranging effects. States will need to prosecute against crimes perpetrated outside their borders. An effective deterrent would therefore require an extraordinary level of agreement on a framework to define unlawful cyber-actions, and the willingness to cooperate in responding to violation. UK foreign policy is to promote European efforts to create these definitions, draft national legislation, spread basic cyber capabilities, and encourage cooperation between centralised national taskforces. £650 million is to be spent on the national Cyber Security Strategy.
The impulse of nations to impose themselves on the Internet can be in contrast with accepted internet freedoms, and this demonstrates some of the difficulties of international cooperation. Some states define security in ways that seek to limit the freedom of speech. Yet whilst William Hague calls for international agreement to stop dictators from preventing citizens using the internet to speak out and organise against them, he is undermined by calls for the makers of Blackberry phones to end their role in facilitating rioters to commit unlawful acts in the UK.
Even if cooperation is possible, the academic counter-current warns that the opportunities offered by cyber-attacks and espionage will be too great for all states to respect their responsibilities, with Joseph Nye even making comparisons to the arms race of the Cold War. The difficulty of attributing responsibility for cyber-attacks may reduce the incentive to behave, or could even lead to states being wrongly accused. It is not difficult to imagine how the US might react if Iran appeared to be trying to steal atomic weapons technology, or if a hostile power appeared to have infiltrated critical defence systems.
After the debate of what constitutes an unlawful act in cyberspace comes the matter of the right to respond to a violation; whether existing principles of international law can be adapted to the cyber-context, or whether they will be proven insufficient. The advantage of using established legal instruments to defend cyber-security is that they are less likely to be contested and can be deployed sooner. Avoiding the creation of a framework based on the nuances of cyber-space may ultimately lead to greater complications and a less flexible system.
Many nations, the UK included, are developing the ability to respond aggressively to an attack, to block it while it is happening and gain information of the intrusion; capabilities referred to by the euphemism “active defence”. Katharine Hinkle notes that this could refer to the principle of countermeasures, by which one state can take action to prevent another from committing internationally unlawful acts against it. It is also asked whether an attack on infrastructure that cost lives could constitute a use of force legitimating defensive action under Article 51 of the UN convention, or whether an attack on financial institutions could be considered similar to economic sanctions.
Even if international legal instruments could be bent towards every aspect of cyber-security, Hinkle suggests that some foundations of international law, such as the principle of proportionality, may not translate. A proportionate counter-attack in cyberspace is unlikely to result in a proportionate physical effect in the target country. It is also likely that, due to the potential of cyber-attacks to rapidly cause great damage, cyber-security will see increased claims of the right to pre-emptive attack.
A great deal of the precedent governing responses to cyber-threats will probably, as has been the pattern with quasi-legal interventions, be established by strong states against those who are unlikely to pose a strong military or legal challenge. Most uncertain is whether larger states will always conduct themselves according to international laws and prosecute crimes in their territory. Allegations are frequently made about Chinese Internet abuses, but they are difficult to substantiate and it is unlikely that action will be taken. The atmosphere of suspicion threatens to stifle the necessary moves to internationalise the response to cyber-security. It is yet to be seen who will be able to capitalise from this situation.