Cyber conflict is going on all around us, all of the time. The smartphone in your pocket can be compromised to become part of a botnet (robot network) that is used to overwhelm the servers of financial companies.
The ICT-enabled industrial control system that ensures the delivery of water or electricity to your home might be probed for vulnerabilities as we speak in order to guarantee access and enable disruption at a later time. We have already seen that the deployment of malicious code can cause physical destruction, both through proofs-of-concept and targeted cyber operations. Data breaches have been causing substantial monetary loss for years. States and non-state actors alike are developing increasingly sophisticated and effective tools for carrying out theft, espionage, and sabotage. In this brave new world, the cyber security community is increasingly turning to the concept of resilience as the paradigm for tackling the myriad threats stemming from the ever-increasing adoption of information and communications technologies.
Indeed, resilience was the common thread that tied together many of the keynote speeches and panel presentations of the first day of this year’s 7th annual International Conference on Cyber Conflict (CyCon), hosted in Tallinn by the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) and entitled “Architectures in Cyberspace”. In the cyber context, resilience can be loosely defined as a set of measures to prepare for, withstand, and recover from disruptions and attacks. In his keynote, NATO Assistant Secretary-General Sorin Ducaru insisted that NATO does not currently view cyber as an operational domain but that it is focused on resilience and capacity-building. The European External Action Service’s Rudolf Roy highlighted resilience as a key aspect of the EU cyber strategy, referring to legislative (NIS directive) and training (ENISA, EDA) initiatives that are aimed at strengthening the capabilities of member states to cope with cyber threats. Common ground could even be identified between Microsoft’s Angela McKay and Admiral Michael Rogers, head of US Cyber Command and the NSA, when it came to the importance of public-private partnerships for managing risks and implementing solutions to shared cyber concerns. Finally, the concept featured in the presentations of each of the speakers on the situational awareness session, most colorfully when Professor Leo Mõtus expounded his vision for resilient systems that featured greater trust toward, and cooperation with, semi-autonomous, self-aware, non-human entities exhibiting emergent behaviors that are not deducible from programming algorithms.
However, despite all of the attention that is being directed toward cyber security by individuals, companies, states, and international organizations, the challenges remain daunting. The workshops that took place before on the day before the conference drew attention to the fact that actors are still unable to find agreement on fundamental key terms in the field. Needless to say, consensus on self-limiting norms of state behavior seems further off still. The interdisciplinary group of cyber experts that presented on the first day of CyCon lamented the difficulty of attaining sufficient situational awareness of complex systems on the defensive side as well as the systemic insecurity that follows from the increasing willingness of well-financed state actors to develop cyber attack platforms, so-called “milware”, as an industrial activity that is analogous to private sector software development processes. The notorious Stuxnet attack may have been a watershed; current practices seem to be creating incentives for the further development of lucrative black and grey markets for vulnerabilities and exploits in the cyber domain. Based on these views, achieving resilience appears challenging at best.
In this rather gloomy state of affairs, what can states and non-state actors do to preserve openness and improve security online? Beyond simple investment and defensive capability development, CyCon keynote speakers and panelists were united in their affirmation of the multi-stakeholder model for internet governance. Optimism could also be sensed regarding the work of academic experts on international law, specifically about the development of Tallinn Manual 2.0, which is examing the application of existing law to cyber activity that falls below the threshold of the use of force. Additionally, resilience could be complemented by deterrence, even on the part of small states in relation to bigger, more powerful states. In his presentation on the panel “Cyber Conflict after Stuxnet”, Jason Rivera asserted that doing so required four factors: a moderate level of attribution, an understanding of the cyber security objectives of the adversary, a clever, rather than destructive, capability which leverages that insight (such as psychological operations), and an assured conformity with existing legal norms. It remains to be seen whether state practice affirms this hopeful hypothesis.
As this brief overview has suggested, the topics at this year’s CyCon span a wide range of cyber policy questions, from internet governance to artifical intelligence. These topics and several others will also be addressed in Thursday’s speeches and presentations, and the line-up of diverse yet qualified speakers enables this author to predict that an array of insightful and provocative ideas will emerge from their interventions. The full agenda for this year’s CyCon can be found here and ICDS will provide another overview of tomorrow’s events on this blog as well.