13 November 2012
‘Jaw Jaw’ is better than ‘War War’: International Security in Cyberspace
by Paul Meyer
“Jaw Jaw is better than War War” is Winston Churchill’s famous maxim concerning the desirability of dialogue over destruction in the conduct of relations between states. As a great war-time leader, it was not that Churchill was a pacifist, but he did see the merit of trying to resolve disputes first on the basis of dialogue and mutual understanding, before having recourse to armed force. As a former diplomat, I share the predisposition when faced with a new challenge to international security to look first to possibilities for conflict prevention through the application of diplomacy.
As a result, when I survey the current environment for international cyber security I am troubled by the relative dearth of preventive diplomacy and the apparent dominance of militarized approaches to achieving security in cyber space. Given the particular nature of cyberspace, its ‘global commons’ character and its extensive and predominantly civilian applications, there are good reasons to question the assumption that it represents just another domain for armed conflict and offensive operations. Unlike the terrestrial environments that have been fields of battle for centuries, cyberspace is a recent human creation in which the key decisions as to the extent of cooperation or conflict that should prevail are still to be taken. While considerable attention has been given to criminal and other malicious actions in cyberspace by non-state actors, there has been less focus on the ‘international security’ dimension of cyberspace and the future of inter-state behaviour.
We are still at an early stage in addressing the issue of inter-state behaviour and frankly the future course of events in cyber space could go either way on the cooperation-conflict spectrum. As has frequently been the practice in the past, when the international community has been confronted with the question of how to handle a new development with implications for international security, the world has looked to the leading powers for guidance on the path to follow. Sometimes those powers have been able to cooperate to forestall militarization or weaponization of sensitive environments. One can think of the treaties on the Antarctic, outer space, the seabed and the WMD prohibition agreements such as the Biological Weapons Convention and the Chemical Weapons Convention. In other situations, weaponization was allowed to proceed, but with various limits and restrictions placed on these systems and their deployments, as witnessed by the many arms control accords of the past century. And in yet other situations, state behaviour is unregulated formally, but reflects shared norms that have developed over time – e.g. nuclear deterrence.
In this context of international security regime development, the United States traditionally has played a leading role, often being the major architect of new arrangements and then seeking support for these from other actors. The cyber space realm has seen some initial path-breaking policy work by the U.S. in the form of its International Strategy for Cyberspace released by the White House in May 2011. This strategy recognised the tendency of some governments to seek “to exercise traditional national power through cyberspace”, while calling for the development of internationally agreed “norms for acceptable state behaviour through cyberspace”. The Obama administration however has yet to be able to translate this progressive vision into actual processes which yield substantive results. Currently this administration is distracted by electoral considerations and is not giving thought to issues of high policy. Critics might also protest that the administration’s apparent involvement in the deployment of the “Stuxnet” and “Flame” cyber weapons renders it a poor standard bearer for that “peaceful and just interstate conduct” in cyberspace that its strategy proclaimed.
In light of the huge stake civil society has in secure and sustainable access to cyberspace, we should not accept a laissez faire approach being taken by states with respect to international cyber security. This environment is too precious to leave it to the cyber generals (or more likely captains) to “safeguard” as they see fit. In the absence of a great power champion willing to convene a global forum on norms for responsible state behaviour on cyber security, to whom can civil society look for some action on this front? At present there are only a few options out there that might bring some discipline and purpose to what hitherto has been a diffuse and disjointed debate. One of these is for regional security organizations to look seriously at developing such norms and associated measures as to provide some agreed framework in which to conduct cyber operations. The Organization for Security and Cooperation in Europe (OSCE) has recently initiated a working group “to elaborate a set of draft confidence-building measures (CBMs) to enhance interstate cooperation, transparency, predictability and stability and to reduce the risks of misperception, escalation, and conflict that may stem from the use of Information and Communication Technologies (ICTs)”. The sizable and diverse membership of the OSCE and its successful history in the development of CBMs in the political-military field augurs well for this enterprise, but it is very early days. The stated goal of the working group to have an initial set of CBMs ready for adoption by the upcoming OSCE Ministerial meeting in Dublin this December seems ambitious and the negotiation process may have to be extended.
At the universal level, and a central feature of cyberspace is its global nature, the United Nations has begun to address itself to the challenge of international cyber security. It has done so largely through the establishment of a Group of Governmental Experts (drawn from a representative set of some 15 states) to consider issues relating to security in cyberspace. An initial consensus report in 2010 recommended the development of “confidence building, stability and risk reduction measures”. A new Group of Governmental Experts has got underway this year and is due to report back to the UN General
Assembly by the fall of 2013. These groups operate on the basis of consensus however and it is by no means certain, especially as the governmental experts move beyond formulating general platitudes to grappling with specific measures, that agreed recommendations will be forthcoming.
Influencing these diplomatic processes is an underlying strategic reality, which may assist those who wish to see a cooperative security regime established for cyberspace. This reality is one common to both outer space and cyberspace. In both of these fragile environments there is a risk that destructive action by any state has the potential to deny use of the domain to all. One hopes that in cyberspace as in outer space, this recognition of a common vulnerability will induce a common restraint that can overtime be channelled into cooperative arrangements and collaborative habits which can form a basis for more formal agreements.
What should civil society, as cyberspace’s prime stakeholder, do to influence the state-centric activity that is finally getting underway? Firstly, concerned civil society should be monitoring closely these official processes and seeking input to them. Secondly, civil society should be maintaining pressure on governments to ensure that serious diplomatic engagement to devise the norms for responsible state behaviour is sustained. The diplomacy of international cyber security cooperation has lagged far behind the cyber actions of military establishments and it is time to energize a conflict prevention and mitigation effort in determining what sort of state conduct in cyberspace we wish to see in the future.
 This is a revised version of the author’s presentation on behalf of the ICT4Peace Foundation to the panel on “Perspectives on International Security in Cyberspace” at Cyberbudapest 2012 held October 4-5 in Budapest, Hungary.
 Paul Meyer is a former Ambassador of Canada for Disarmament. He is currently Fellow in International Security at Simon Fraser University and Senior Fellow the Simons Foundation both in Vancouver, Canada, and a Senior Advisor, ICT4Peace Foundation.