Ten years ago, in the early summer of 2007, Estonia set out to remove a World War II memorial commemorating Soviet soldiers from the capital’s downtown, and inadvertently triggered what has been sometimes called the first strategic cyberattack in history. Over a three-week period, one of Europe’s most wired countries was paralyzed by a series of DDoS attacks against its government, media agencies, and financial institutions. It marked a watershed moment in the use of state-sanctioned cyberattacks to advance foreign policy goals. It also introduced a model for conflict in cyberspace fought by proxy to retain some degree of plausible deniability – even when there is an overall consensus saying otherwise.
In the following years, more news about strategic cyberattacks events made headlines; ranging from events in Georgia in 2008, Stuxnet in 2011, attacks against Sony Pictures in 2014, Tele5 (2015), a German steel mill or against the Ukrainian Power Grid (2015), and the most recent wave of ransomware attacks including WannaCry and NotPetya (2017), to name only a small sample. This indicates that cyberattacks are becoming the new normal and therefore join the already highly charged new reality of seemingly omnipresent cyberespionage. Behind this backdrop lies the concern that a catastrophic cyber exchange between nation states could occur. In recent years this threat has often been described as a major threat in national security threat assessments. While this dire outlook is partially connected to the overall level of geopolitical tension, there is a significant and widespread concern that the ability of governments to successfully manage the threat of major conflict in cyberspace is hampered by the difficulties in attribution, the dominant role of non-state actors in all shapes and forms (attacker, victim, media or carrier of attacks) as well as their unclear relationships with the government, and the rapid development of the technology itself, creates unseen future shocks that have significant impact on national security concerns.
Both bilateral and multilateral interstate discussions have attempted, and in some cases managed, to address some of the risks involved in inadvertent escalation as well as a loss of escalation control. However, attempts to find a workable interstate dialogue seem to have reached an impasse. The failure of the “UN Group of Governmental Experts” to reach a consensus in 2017 and stalemates in other diplomatic fora show that governments alone will not be able to fix the problem. Despite their traditional dominance over all questions related to international peace and security, governments only make up one of three actor groups in the overall cyberspace regime complex. The Internet is governed by a complex ecosystem of stakeholders, each with its own set of standards, norms, rules and processes. The ability of the private sector, which owns and runs most of its digital and physical assets in any conceivable form, and the civil society, which is largely responsible for coding and running the most basic Internet functions, to create norms of behaviour is therefore paramount. Governments alone cannot decide on all aspects of cyberspace – instead their ability to draft own norms is largely contingent on the norms that others have already established. Given this complex landscape, it is unlikely there can be a singularly encompassing legal solution that is both enforceable and inclusive. Instead, developing norms of behaviour acceptable to all relevant stakeholders is essential.
In an effort to facilitate global multi-stakeholder engagement to help develop norm and policy initiatives related to international peace and security in cyberspace, HCSS decided to launch the Global Commission on the Stability of Cyberspace at the 2017 Munich Security Conference with the support of many partners. The Commission does so by connecting traditional state-led dialogues with those of the Internet communities. Recently, in New Delhi, the Commission released its Call to Protect the Public Core of the Internet – an appeal for a new norm to apply to both state and non-state actors to refrain from activity that intentionally and substantially damages the general availability or integrity of the Internet itself.
HCSS seeks help from others working towards this shared mission and will continue to pursue the multi-stakeholder approach into its second decade, the end of which will hopefully lead to more answers to questions we have yet not fully addressed.
Louk Faesen, Associate Strategic Analyst, Cyber Policy and Resilience Program
This post is part of a series on the HCSS 10 year anniversary. Throughout the year analysts, experts and former colleagues will publish a post reflecting on the past 10 years.
Read the post by Paul Sinning, Executive Director
Read the post by Rob de Wijk, founder and non-Executive Director
Read the post by Sijbren de Jong, Strategic Analyst
Read the post by Stephan De Spiegeleire, Principal Scientist
Read the post by Michel Rademaker, Deputy Director Market and Operations
Read the post by Karlijn Jans, Strategic Analyst
Read the post by Willem Oosterveld, Strategic Analyst
Read the post by Erik Frinking, Director of the Strategic Futures Program
Read the post by Hannes Rõõs, Data Scientist
Read the post by Reinier Bergema, Strategic Analyst
Read the post by Frank Bekkers, Director of the Security Program