Screen Shot 2013-07-15 at 6.02.17 PM

Report on ICT4Peace International Dialogue on Confidence Building Measures (CBMs) and International Cyber Security – ETH Zurich, 20 to 21 June 2013.

On 20 and 21 June 2013, the ICT4Peace Foundation hosted an international high-level expert workshop at ETH Zurich on Confidence Building Measures (CBMs) and International Cyber Security, to develop a better common understanding of practical CBM’s to be applied to the Cyberspace, based inter alia on concrete experiences of incidents and threats, that are relevant to build trust and rapid response systems to avoid potential conflict.

The workshop has allowed for a focused examination and development of a list of specific, concrete and practical CBMs and an assessment of their utility and feasibility from an international security, operational and diplomatic perspective. The results of the workshop will help the discussions and negotiations on confidence building in cyberspace and related policy options in various fora such as the UN Group of Governmental Experts on Cyber Issues (UN GGE), the OSCE Informal Working Group on Confidence–building Measures in the field of ICTs, the ASEAN Regional Forum (ARF), the London Process on Cyberspace and the Conference on Cyberspace in Seoul in October 2013. Please find the report as a PDF here.

###

The meeting in Zurich took place at an important moment. Recent events have shown that much remains to be done to ensure and strengthen confidence between states and society around the different uses of cyberspace. Meanwhile, mistrust between states regarding the use of cyberspace continues to rise, not least due to the increasing sophistication of cyber probes and attacks and a palpable race to enhance offensive as well as defensive capabilities.

Notwithstanding, a UN process on Developments in the Field of Information and Telecommunications in the context of international security initiated in 1998 within the framework of the UN General Assembly First Committee on Disarmament just recently reached agreement on a range of measures aimed at building cooperation for a peaceful, secure, resilient and open ICT environment. Progress is also being made within the framework of the OSCE to reach agreement on a complimentary range of CBMs and recent constructive discussions have led to a sense of cautious optimism that participating states may adopt a first set of cyber/ICT security-related CBMs at some point in 2013. Meanwhile, discussions on CBMs within the framework of the ASEAN Regional Framework (ARF) continue. At the bi-lateral level, the U.S.- Russian strategic dialogue has been long standing and has recently resulted in an agreement on some initial CBMs. The U.S.- China consultations on international cyber security are much more recent and there are indications that discussions are moving forward in a positive direction. Similar official consultations on cyber security issues are emerging in bilateral talks between other states interested in this subject matter. In addition to these developments, the government of South Korea is now preparing for the next international conference on cyberspace, which will build on the earlier efforts of the United Kingdom and Hungary to broaden the dialogue beyond state actors, and assess progress to date.

These are all important steps since earlier efforts to reach common ground on how to respond to threats to international cyber security yielded limited results, and there was an underlying perception that ideological differences in particular between blocks of states were serving as important stumbling blocks to reaching even minor agreement on norms and confidence building measures for responding to international cyber security challenges. Each of these processes has also broadened awareness on the issues, although questions regarding how to effectively engage (directly or indirectly) non-governmental organizations and the private sector remain unresolved.

WHY CBMs?

The objective of confidence and transparency building measures in recent history and in relation to conventional threats has been to prevent outbreak of war and escalation in a crisis; increase trust so as to avoid escalation; enhance early warning and predictability; and modify and transform or improve relations between states. There is general agreement that CBMs for responding to international cyber security issues are useful and necessary, that they are timely and that they should be a priority area for the international community. CBMs are the type of measures that need to be in place to avoid potential misunderstanding and escalation when relations among states with regard to cyber/ ICT security worsen, serving as a form of pressure valve.

Regarding cyberspace, a series of cyber security challenges has emerged over time. These include:

  • Low entry barriers to cyberspace, meaning that more and more actors have access to information technology and software that can be potentially used for malicious and hostile activities.
  • The fact that in highly connected societies the disruption of services can cause significant economic, financial and psychological damage thus rendering these services strategic targets.
  • A growing digital divide between high-industrialized and less-developed countries and growing concerns regarding information superiority.
  • Growing concerns that cyberspace is becoming militarized and that states are investing in developing offensive military capabilities aimed at destroying, denying, degrading or disrupting a perceived adversary’s capabilities.
  • Concerns that ‘disruptive cyber tools’ or ‘cyber weapons’ are proliferating, provoking a digital arms race and representing a new tool of warfare.
  • Lack of clarity about which situations and under what circumstances ‘cyber weapons’ will be used.
  • Increasing anxiety that civilian infrastructure will be attacked by state or non-state actors and whether such an attack would lead to escalation and the outbreak of conventional conflict.
  • Increasing concern about cyber espionage, unfettered data collection, privacy and broader civil rights.

These challenges are being discussed against the backdrop of significant events in cyberspace. Both China and the United States have accused each other of conducting protracted cyber espionage activities, and more recently it has been alleged that the UK has also been involved in similar activities. It has also been revealed that the U.S. has a developed policy – and most likely doctrine – for offensive cyber operations, although it is more than likely that the U.S. is not the only country that has developed these capabilities. These revelations have had the combined counter-intuitive effect of creating a form of ‘strategic pause’ among the great powers, at least. There are signs that the U.S. and Russia have started a serious dialogue on international cyber security issues, and that both the U.S. and China are seriously considering similar discussions. These are positive developments that provide a degree of optimism that strategic restraint will become the rule rather than the exception in matters of offensive cyber operations, even if cyber- espionage will undoubtedly continue unabated.

Confidence building measures can serve to lay the foundation for agreeing on acceptable norms of behaviour for states as well as confidence and trust building measures to avoid miscalculation and escalation. They can also represent initial steps towards discussions on arms control and finding common ground for understanding future cyber threats in a crisis or war-like situation, including protection of strategic assets and critical civilian infrastructure. It is however, equally important to be clear about what it is we are trying to prevent, or at least mitigate when discussing different types of measures. In this regard, measures that instil strategic restraint in offensive cyber operations that have the potential of creating physical damage and harm should be the main priority. CBMs should serve that end. We should not, however, delude ourselves that states will give up certain cyber security programs – including seemingly aggressive ones – even if processes of political and strategic reconciliation are underway. Indeed, there are shared and agreed monitoring, compliance, and transparency measures for CBM’s, but realism dictates that we must also accept that states will also maintain and use private and covert measures for monitoring each other’s activities and capabilities. The axiom ‘trust, but verify’ remains crucial in this regard.

Finally, the role of regional security organizations (RSOs) such as ARF, OSCE, OAS, AU is also crucial in helping to broker common approaches to defining CBMs and there are obvious economies of scope and scale in capitalizing on their experiences in more conventional arms areas. There has also been talk of using existing communications mechanisms in RSOs to help de-escalate tensions. Provided they work at net speed, the latter could be a useful way forward. However, the role of RSOs should be seen in its proper context: whereas CBMs on conventional forces have stressed the regional basis for CBMs, the global interconnected nature of cyber space means that regional approaches can take us only so far.

Enhanced mechanisms for sharing of good practice between and among RSOs would be a powerful step to take forward. A first step in this regard would be to institutionalize dialogue among the RSOs. In the same vein, RSO involvement should be seen as complimentary to bilateral CBMs, such as those recently announced between Russia and the US. This is a complicated problem, and a “one size fits all” solution will not work. Much of the debate so far, whether about norms or CBMs, has been about the development of consensual approaches to the issue; but it is important to bear in mind the role that declaratory policy can also play. In this regard, it is worth recalling that in conventional domains, confidence building often begins with a unilateral concession by one or more parties: in Northern Ireland, the Middle East, and the Soviet Union, for example. Declaratory policy needs to be credible, but it is often the symbolism that is important, and it does not necessarily mean giving away your most valuable bargaining chips. For example, what signal would it send if a nation – or a group of nations – were to publicly declare that should an armed conflict arise, any form of cyber offensive would be conducted in accordance with the Laws of Armed Conflict (LOAC) and principles of necessity, proportionality and distinction.

Today however, some states believe that if cyberspace is viewed as a strategic domain and the applicability of the LOAC to cyberspace is discussed, the latter will propel an arms race. Meanwhile, other states feel that clarity and observance of international law is vital, as the absence of clarity could in itself lead to misperceptions over the intent of a state, spurring a cyber arms race. States might also make a declaratory statement about how they would view and react to pre-positioning of offensive cyber capabilities on elements of their critical national infrastructure (CNI). Consensus on this topic will be difficult to achieve. Conversely, given that many nations would honour their international obligations in all domains in the event of an armed conflict, it remains unclear whether a declaratory policy or “unilateral concession” it is unclear whether this would be a helpful means to increase confidence.

The meeting in Zurich brought together a small group of high-level experts and practitioners to discuss different types of confidence building measures, how they have been introduced into the different diplomatic processes underway, as well as prospects for their effective implementation as these processes move forward. It allowed for a focused examination and development of a list of specific, concrete and practical CBMs and an assessment of their utility and feasibility from an international security, operational and diplomatic perspective. The following sections provide an overview of some of these CBMs. The accompanying matrix lists these measures, highlighting those that are already being discussed within the on-going diplomatic processes noted above.

The report is divided into four main sections: i) Transparency, Compliance and Verification Measures; ii) Cooperative Measures; iii) Collaboration and Communication Mechanisms; and iv) Stability and Restraint Measures. A final section discusses next steps for diplomatic CBM processes. While the aim was to set out four categories of CBMs on the basis of function, as is evident in the report, one measure can serve more than one purpose, hence there is significant overlap between measures.

As a major outcome of the workshop is also a Matrix for Options for Cybersecurity CBMs.

The ICT4Peace Foundation would like to thank Barbara Weekes for preparing the workshop as well as Ambassador Paul Meyer and Dr. Eneken Tikk-Ringas for their support, and thank Camino Kavanagh for drafting the workshop report. Finally, ICT4Peace expresses its deep appreciation to the Swiss Ministry of Foreign Affairs, the Schwyzer-Stiftung and the Swiss Federal Institute of Technology – ETH in Zurich for their precious support for the organization of the workshop and preparation of its reports.

Daniel Stauffacher
President
ICT4Peace Foundation
www.ict4peace.org
Zurich, June 2013

Please find also the following publications of ICT4Peace on cybersecurity and resilience under Cybersecurity and a resilient internet.