Heads of state of NATO allies declared in Wales in 2014 that cyber threats had reached the level of being able to threaten Euro-Atlantic security and cyber attacks could trigger a collective defence response. This sent a powerful message to the rest of the world. Among other things, it also poured fuel on the fire of the rhetoric that states, and especially their security services, are undermining the liberating, progressive qualities of cyberspace and turning it into an arena for competition, coercion and conflict both technically and conceptually.
This underlying tension between the perceived roles and responsibilities of governments, industry, civil society, and academia in the cyber world was also a theme of many of the presentations on the second and third day of CyCon in Tallinn. In the closing keynote of the conference, Jeff Moss, who is considered to be a prominent spokesperson for the computer security community, warned that “wars on the Internet” would have fundamentally far-reaching and negative effects on its technical nature; in fact, security concerns have already made it much less flexible and more “brittle” than ever before. Paul Vixie, CEO of Farsight Security, also asserted that we are living in a new state of affairs where, in cyberspace, every company now has to defend itself against every nation-state and criminal empire, regardless of whether their adversary is domestic or foreign. The panel on surveillance highlighted that the status quo is further complicated by the almost complete lack of existing international law governing foreign electronic intelligence gathering.
While there is certainly espionage and low-level conflict in cyberspace, most experts would agree that we have yet to see the first real “cyber war”. In this context, several experts expressed thoughts on the role of militaries and security services in the cyber domain. In his keynote on the Dutch defence cyber strategy, Sebastian Reyn spoke of the potential for militaries to cooperate with civil authorities in preparing for, and responding to, crises, including by carrying out joint exercises. More specifically, the panel on defending the nation in cyberspace highlighted the value of information exchange and cooperation in the field of critical infrastructure protection between the two. Jeff Moss agreed with both perspectives, envisioning militaries as the “final backstop” in cyber crises and calling on them to train and educate industry on the basis of their offensive skills.
Most countries are in the process of developing and implementing their positions on these issues. Analysts at CyCon also identified trends and expounded views on the directions in which the discussions are, or should be, developing. For example, legal experts on the surveillance panel noted that states are becoming more inclined to increase transparency because they may be losing the moral high ground. Sebastian Reyn affirmed that it is crucial that intelligence agencies have democratic oversight as well as political approval and echoed Admiral Rogers’ focus on abiding by the existing legal framework.
How does all of this play out in practice? The panels on influence operations and cyber warfare in Ukraine put states’ use of cyber capabilities into the larger strategic picture. In the case of the war in Ukraine, panelists argued that Russia has mostly used cyber methods as new tools for accomplishing old goals, such as the effective application of propaganda, disinformation, and reflexive control. Kenneth Geers drew attention to the use of Distributed Denial of Service (DDoS) attacks against Maidan protesters and Margareta Jaitner highlighted Russian special forces’ understanding of internet architecture in the occupation and annexation of Crimea. Richard Bejtlich, on the other hand, pointed to his company’s attribution of Chinese military actors in attacks by tracking their social media usage as an example of how simple mistakes can undermine the efforts, malicious or otherwise, of state actors as well. Finally, Jeff Moss made the case for laxity in international controls on the activities of the security research community by criticizing the recent addition of security vulnerabilities into the list of strategic goods falling under the remit of the Wassenaar arrangement.
In sum, the various messages from cyber experts led to a mixed picture on whether we can coherently say that cyberspace is being actively militarized. Rather, it appears that while many states have taken more active roles both in terms of governance and security in cyberspace, there is still an open debate on the roles militaries and intelligence agencies, as the actors with the greatest resources and potential capacity, are and should be playing. It is important that the voices of the industry, academia, and civil society communities are heard in this debate, and this is part of the value of forums such as CyCon. Next year’s conference, which will focus on cyber power, will surely delve into this topic with even greater depth and with the benefit of another year of evidence in terms of state practice.