Without adequate cyber security, essential services and basic supplies are put at risk in our ever increasingly digital societies. This became abundantly clear in May 2021, when a ransomware attack in the United States interfered with large parts of the country’s east coast petrol supply, or when hospitals in Ireland were forced to switch to emergency supply. However, these attacks and overarching threats do not just emanate from cyber criminals. There is also growing evidence of continuous state cyber operations against critical infrastructures, including attacks on vaccine logistics or electricity supplies.
It comes as no surprise that new technologies make societies more vulnerable, at least initially. After all, our history is rife with examples, from the emergence of nuclear arsenals to present day terrorist uses of modern technology. Peace research in Germany has, since its inception, argued that these risks cannot be primarily dealt with through an increase in arms, nor by the threat or pre-emptive use of force. While research into cybersecurity dynamics is still in its infancy, initial findings seem to confirm the peace research perspective. This is particularly true when it comes to crisis dynamics in cyberspace or the effects of the American concept of "defending forward ".
In other respects, cyberspace often reveals completely new potentials, for example when looking at contributions from social actors that are conducive to peace. These should be connected yet more strongly at both the national and transnational levels, in order to promote peace and stability in cyberspace. This is precisely where IFSH’s research focus International Cybersecurity, funded by the Federal Foreign Office, enters into the equation. A central goal of the project is to investigate new instruments and partnerships for peacebuilding and stabilisation in cyberspace, and to advise politicians in this regard.
Early warning and crisis support
Since the heydays of the internet, there has been a highly networked and transnationally organised technical community. Expert communities in other policy fields, such as nuclear arms control, influence policy indirectly by creating a common awareness of problems. In contrast, the IT community contributes directly to early warning and crisis aid, often in a self-organised way. Examples of this include cross-border pragmatic cooperation of computer security teams across diverse organisations and sectors, or the sharing of novel attack methods and best crisis response practices via common platforms.
The 2015 commitment of all UN member states to the eleven so-called norms of responsible state behaviour is rightly considered a milestone in international cyber security policy. However, the significance of these norms also stems from the fact that they have been reaffirmed, substantiated, and expanded by complementary initiatives of non-state actors, such as research institutes or companies. While norm-building in cyberspace does not follow in the footsteps of successful non-state campaigns such as those to ban landmines, it is nevertheless anything but state-centric.
In order to be able to punish norm violations, such as attacks on critical infrastructures, the culprit must first be identified, requiring considerable competences and resources. While intelligence agencies of major cyber powers are able to do so, internationally recognised standards do not exist, let alone a common procedure for attributing cyberattacks. However, private cybersecurity firms such as FireEye or Kasperski, research institutions such as the Citizen Lab at the University of Toronto, or even individual analysts have repeatedly demonstrated their extensive capabilities. The fact that states increasingly rely on these external analyses points to a considerable authority gain on the side of social actors, which should be leveraged more efficiently. In the future, this could be developed into a globally recognised network that focusses on an unbiased investigation of cyber incidents. Initial proposals are already on the table, with the history of arms control also offering precedents, such as the use of independent research laboratories within the framework of the Chemical Weapons Convention. The next task is to gradually adapt and implement similar ideas to cyberspace.
Non-proliferation at the micro-level
Lastly, social actors are actively involved in closing security gaps by discovering new vulnerabilities and reporting these, thus depriving attackers of potential exploits. One such example are bug bounty programmes that offer prizes for the discovery of such vulnerabilities. However, security researchers, also known as white-hat hackers, who participate in these programmes often complain about the lack of legal security. Furthermore, some distrust the state actors, who are often known to withhold vulnerabilities in order to be able to use them, for example for police investigations or intelligence operations. This tension shows that the relationship between state and societal actors still has a lot to improve on, both domestically and internationally, in order to strengthen peace and stability in cyberspace together.