Cyberwar looms as diplomats dither

Simulations at ANU's National Security College suggest that the world is sleepwalking towards war. Meanwhile, international cyber negotiations could be set back a decade.
Written by Stilgherrian , Contributor

Video: The economic impact of Russian hacking on the Ukraine economy

Cyber intelligence operations could increase the risk of accidental war, according to researchers at the Australian National University's National Security College.

Early results published earlier this month supported the idea that the world is sleepwalking to war, much like Europe did in the early years of the 20th century.

Professor Roger Bradbury and research assistant Dmitry Brizhinev had created a "general simulation framework that models the strategic interactions between countries". Honorary Professor Chris Barrie, a retired admiral and former Chief of the Australian Defence Force, joined them to analyse the sleepwalking hypothesis.

The model strips the problem to its essentials: a set of countries that interact with each other through competition, at its extreme war, and co-operation, at its extreme peace.

Cyber operations open up a Pandora's Box of dynamics, Bradbury told 5th International Conference on Cybercrime and Computer Forensics on Australia's Gold Coast on Monday.

He warned that the simulations are still very much at the lab-bench stage, but the results are "intriguing".

"In cyberspace, big and little states, near and distant states can all play in the same sandpit with the game forever renewed by the colossal force of innovation. There is no geography in which to hide nor much history to provide protection. The game is primal and raw, and we see states behaving in a primitive splendour," Bradbury said.

"How does the ancient craft of intelligence feed into this mix? In a nutshell, intelligence encourages adventurism in the cyberspace of a world that is becoming increasingly hawkish."

Traditional intelligence work is usually carefully calibrated, Bradbury said, pushing adversaries towards war, but remaining just one below that. But cyberspace, as a "power-diffuse domain", reduces restraints on the exercise of power by all states. And in cyberspace, calculations of risk are distorted by the difficulty of attribution of cyber operations.

"The result is that intelligence agencies around the world believe both that aggressive cyber operations should be pursued without restraint, and that the risks of such operations are low. This hubris, sadly, is not supported by experience, but it remains a strong belief nonetheless," Bradbury said.

"Cyberspace is thus becoming a place, in a world of growing hawkishness, where the threshold for war may be easily crossed -- where the world may sleepwalk to war. Whether that could escalate into a broader conflict is a discussion for another time."

Meanwhile, it could be another 10 years before there are legally binding international agreements on cyber crime, and on cyber activities relating to international security, according to Australia's Ambassador for Cyber Affairs Dr Tobias Feakin.

A framework for international cyber crime investigations does exist, and discussions on international security matters have been under way since 2004. But some nations feel that they weren't properly involved in those negotiations, and have called for a fresh start.

"I do fear that if we get ourselves entrenched in [negotiations for] a new legally binding treaty, be it from a cyber crime perspective or an international security perspective, we're going to have a very long air gap," Feakin told the conference.

The existing cyber crime treaty, the Council of Europe Convention on Cybercrime, or "Budapest Convention", came into force on July 1, 2004. Nations have been gradually signing on since.

In 2011, the Attorneys-General of the Five Eyes nations Australia, New Zealand, Canada, the US, and the UK, agreed that all five nations should become parties to the convention, and to promote it as the basis for building their own crime-fighting capabilities.

Feakin said the convention provides a "workable architecture" for international cooperation. But its origins in negotiations between the Council of Europe's 47 member states and a handful of observer nations has caused problems.

"There are countries that have acute concerns that this was negotiated without their presence, so from an ideological standpoint don't accept that it's a plausible way of doing business. The danger is that their call is for a completely restructured way of interacting in the cyber crime domain, and completely start from scratch with a convention on cyber crime," Feakin said.

"In theory that sounds OK, that everyone should be included. But where that then leaves us is another 10-year gap whilst that's negotiated and signed off, in which time it weakens the current mechanisms that we have, which work effectively, and they are actually built into place.

"There is a danger there that if we go back to the drawing board, then we leave ourselves with a 10-year gap without adequate coverage."

Feakin said that while bringing the dissenting nations into the current framework is "a difficult one to pursue", it allows the "flexibility to tweak and adjust those norms as you're pressing on".

Meanwhile, discussions towards developing an agreed set of "norms, rules, and principles of responsible behaviour of states" in the cyber realm have been under way since 2010, the most recent round under the auspices of the Fifth United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE).

Feakin said these negotiations have resulted in a number of "progressive agreements".

The 2013 UN GGE Report [PDF] recognised that the UN Charter and international law applied in cyberspace. Nations' efforts to improve cybersecurity would have to have "respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments".

In the 2015 UN GGE Report [PDF], nations agreed to a set of 11 international norms in cyberspace, including that nations must not "knowingly allow their territory to be used for internationally wrongful acts"; not conduct or knowingly support activity that intentionally damages critical infrastructure; "reasonable" steps to ensure the integrity of the supply chain for ICT products; and "not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams)".

Australia has supported the call for these cyber norms.

"I would suggest that that discussion, while covering aspects of cyber crime, is more directed towards that international security environment, so if you like, nation-state on nation-state discussions," Feakin said.

The nations calling for a fresh approach to cyber crime are also calling for a fresh start to these negotiations on international security matters.

"I would challenge anyone to put their hands up in this room and think that states could sign that off within the space of a year [and] it would take again another 10-year protracted process ... by which time, again, your adversaries and others have just accelerated their actions in cyberspace."

Others share Feakin's concerns over the lack of pace, and are far more critical of the negotiation process itself.

In August 2016, Brandon Valeriano and Allison Pytlak from the Washington-based think tank the Niskanen Center wrote a sharp critique, Cyber Security and the Coming Failure of the UN's Group of Governmental Experts.

"Since the GGE meetings are closed to non-members -- including technical experts -- it's difficult to understand the practice of the group's reports and outlooks. Even if the group did have an open dialogue, what real world impact is the group having? What obligations do other countries have to act on the GGE's recommendations? In theory, this could be some useful fora to discuss these matters, particularly norms of behavior, but the group's impact is limited by lack of inclusivity and its limited mandate," they wrote.

"The rate at which technology and cyber conflict evolves easily outpaces that of diplomacy and the institutions that seek to engage such issues, but if the GGE continues to merely 'examine' and 'study' it will struggle to remain relevant. If the UN wants to be a player in the cyber security dialogue going forward, it should move away from a 'talking shop' approach towards involving more stakeholders and producing outcomes that really shape policy, reflecting the realities of the cyber game."

Editorial standards