See larger version of the NZZ article as JPG here or as PDF here.

The ICT for Peace Foundation called for a International Code of Conduct to prevent cyber-conflicts by states and non-state actors. In an op ed of the leading German language newspaper Neue Zürcher Zeitung, Daniel Stauffacher, Chairman of the ICT4Peace Foundation stated that “new online threats such as cyber-espionage and cyber-conflict are very hard to counteract with traditional security policy and instruments. It is now necessary to move forward and develop an international rules-based framework to set standards for the behaviour of states in cyberspace.”

The full text in German can be found here. The English version is as follows:

Cyber-conflict: Why the world needs an international code of conduct

Daniel Stauffacher, Chairman, ICT4Peace Foundation & Former Ambassador of Switzerland, Riccardo Sibilia, Head of Cyber Threat Analysis, Swiss Armed Forces, Switzerland and Barbara Weekes, CEO, Geneva Security Forum

In addition to environmental concerns, financial instability, conflict, poverty and natural disasters, nations around the world are currently facing another challenge that is here to stay: an invasive, multi-pronged and multi-layered threat, a modern day arms race without visible weapons or actors, characterized by an escalating number of attacks both on and off the radar. The stability of our networked global system and the proper functioning of our countries, cities and daily activities, rely on the Internet. Critical infrastructure – including transport, transport security, nuclear power plants, electricity, communication networks, oil pipelines, and financial institutions – has become a clear target for cyber attacks, which could have devastating consequences for humankind. The international community is not doing enough to prevent an on-going escalation of cyber attacks both on and off the radar.

The Internet should be treated as a global common good, which has triggered an explosion of innovation, entrepreneurial spirit, communication, business activity, economic growth, social networking, and exchange of ideas. Tackling a threat to this mainstay of modern society requires a global effort, a concerted open dialogue to find common ground and solutions.

This has proven not to be an easy task – despite countless international conferences, initiatives and meetings we have seen little real progress in developing an effective international response to cyber threats. The problem is unwieldy, complex and the very nature of the attacks make it difficult to find common solutions. Cyber attacks are anonymous and can be state or non-state controlled. It is almost impossible to achieve verifiable and provable attribution of who is attacking. They are also difficult to detect, persisting in some cases unnoticed for many years, and, in addition, they offer the attacker the possibility to attribute the attack to a third party. Cyber attacks are instantaneous and global; data packets can reach the entire world in less than half of a second. We are facing a new type of conflict, in which it has become easier to attack than to defend.

Should the global community consider launching non-proliferation or cyber-arms control talks? The short answer is no. There are serious flaws with these traditional approaches in cyber space, most notably that almost all of the elements that would be considered “arms” in cyberspace have a legitimate dual-use purpose. “Arms” (e.g. malware, vulnerabilities, backdoors…) can also be hidden and developed covertly, and can be used for the full spectrum of offensive cyber activities, including cyber crime, cyber espionage and large-scale cyber attacks, without any differentiation.
Building on the World Summit on the Information Society (WSIS) and keeping in mind the United Nations Millennium Declaration on peace, security and disarmament, the global community should now urgently develop a non-binding “International Code of Conduct for Cyber-conflict”, outlining the key do’s and don’t for nations in cyberspace in times of peace, war, peace support and peace enforcement. The Code of Conduct would enshrine the principle that “a cyber attack on another state is a breach of international law”, even if this might be at times diplomatically inconvenient.

The Code of Conduct would define what States, must do, or abstain from doing, either when they are parties in a conflict or when interacting with parties in a conflict (e.g. handling of hosting of state-related contents, routing of traffic, tracking and blocking of hostile activities from concerned parties, etc.). The Code of Conduct would also address the role and status of private companies and organizations taking part in a cyber conflict. Finally, the Code of Conduct, building on the work of the East West Institute, could become a reference for internationally agreed definitions for the terms used in this field including cyber security, cyber crime, cyber espionage, cyber conflict and cyber war.

Nation states need to push the international cyber agenda ahead, placing a priority on cyber diplomacy both at a multilateral and bilateral levels. In parallel to the Code of Conduct, bilateral “attack limitation” agreements should also be pursued on a sectoral basis. The cloak and dagger erosion of trust currently taking place within countries and between countries at the highest level needs to be stopped through increased transparency and trust building. Cyber-cooperation and cyber diplomacy should become the norm. This means increased investment in training, capacity building, development assistance and multi-jurisdictional legal expertise.

Critical to any international effort to promote cyber peace, is the ability and resources to check and verify, in an impartial way, the activities of those who have agreed to the Code of Conduct. An international independent body should be created, or housed within an existing organization, to analyze and report real or presumed violations to the Code of Conduct.

Finally, while cyber security is critical, and the rights of the citizen and user to live and operate in a safe environment is of the utmost importance, any solution should not diminish the freedom of the Internet, or impede the hugely enriching role it has in our society.

*********

See also underlying ICT4Peace Paper by Daniel Stauffacher, Ricardo Sibilia and Barbara Weekes: Getting down to business: Realistic goals for the promotion of peace in cyberspace