The Global Security Pulse (GSP) on Conflict in Cyberspace was published in June 2019 and tracked emerging trends in relation to peace and security in cyberspace.[1] This complementary research report delves into the two trend tables presented in the GSP by examining their underlying quantitative and qualitative evidence.

Disclaimer: The research for and production of this report has been conducted within the PROGRESS research framework agreement. Responsibility for the contents and for the opinions expressed, rests solely with the authors and does not constitute, nor should it be construed as, an endorsement by the Netherlands Ministries of Foreign Affairs and Defense.

Introduction

This paper examines conflict in cyberspace through a quantitative and qualitative analysis of the intentions, capabilities, and activities[2] of state actors in this domain, as well as an analysis of the norms and rules relevant to cyberspace. Its principal conclusion is that conflict in cyberspace has exponentially intensified in recent years, earning a top spot among states’ most critical security concerns. This is not without reason. Cyber operations are taking a leading role in conflicts between states and recently the risk of a major cyber incident between nation states has been described as a major threat in national security strategies. Earlier this year, Russian groups purportedly took aim at liberal democratic processes once again by targeting European voters with disinformation ahead of the EU elections.[3] Meanwhile, the recent Netnod attack on the Domain Name System (DNS), which was reportedly conducted by Iran, highlighted vulnerabilities within critical internet infrastructure and served as a reminder to the Dutch of the 2011 DigiNotar breach.[4] As Sino-American relations deteriorate, there has also been an increase in reported Chinese cyber espionage.[5] Undoubtedly, malicious actors are using cyber means, including cyber espionage, Computer Network Attacks (such as attacks on the DNS) and disinformation campaigns, to wreak havoc on international peace and security. While this dire outlook is partially connected to the overall level of geopolitical tension, there is a significant concern that the ability of governments to successfully manage the threat of major conflict is impeded as they only make up one of three actor groups in the overall cyberspace regime complex.[6]

The Global Security Pulse (GSP) on Conflict in Cyberspace was published in June 2019 and tracked emerging trends on peace and security in cyberspace.[7] This research report delves into the two trend tables presented in the GSP by examining their underlying quantitative and qualitative evidence. First, the ‘Threats in Cyberspace’ trend table, which measures a variety of indicators over a period of ten years (Table 1), is examined. These indicators measure the seriousness of conflict in cyberspace by gauging the intention and capacity of states to engage in cyber conflict, as well as the level of malicious activity reported in cyberspace. The report continues with an analysis of the second trend table (Table 4), ‘International Order in Cyberspace’, which measures the acceptance of norms and rules in this contentious field. Lastly, the conclusion illuminates how states can forge norm coherence and adoption in this complex, multi-stakeholder environment in order to enhance stability and peace in cyberspace.

Threats in Cyberspace

Table 1
Trend Assessment of Conflict in Cyberspace
Trend Assessment of Conflict in Cyberspace

Intentions

Perceptions of interstate escalation of tensions in cyberspace

An increasing number of national security threat assessments have identified cybersecurity as the main or a major security threat.[8] Throughout all eight analyzed National Security Strategies (US, DE, FR, UK, CN, RF, IN, NL) there is a rising perception that tensions between states is escalating in cyberspace. The earlier strategies (2006 - 2013) place a similar focus on the domains in which cybersecurity is regarded to be of relevance, i.e., cybercrime, IT theft, espionage, sabotage, inter-state cyber military competition, or the protection of critical infrastructure. Six out of the eight most recent strategies (2015 - 2019) place a higher priority on the relevance of cyberspace for national security, in particular the threat from state actors. Previously, although malicious governments seeking to advance their respective national interests were mentioned as a potential threat, more focus was placed on cybercriminals. In contrast, more recently, dedicated national cybersecurity assessments also identify a rising threat of state actors in cyberspace due to the increasing deployment of state-affiliated or directed cyber operations for offensive purposes. A notable point of contrast between the earlier and more recent national security strategies in regard to cyberspace is the recognition of cybersecurity as one of the main threats to national security.

Both bilateral and multilateral interstate discussions have attempted (and in some cases managed) to address some of the risks involved in inadvertent escalation as well as a loss of escalation control.[9] Most notably, the application of international law, norms of responsible state behavior, and confidence building measures (CBMs) have functioned as stability mechanisms that establish ‘rules of the road’ for responsible state behavior in cyberspace. More recently, states are shifting their attention to a more forward-leaning deterrence mechanism, the threat of punishment, to complement the deterrence measures of denial by defense, entanglement, and normative restraints.

Deterrence largely hinges on perception, as noted by Joseph Nye: “its effectiveness depends on answers not just to the question of 'how' but also to the questions of 'who' and 'what'. The threat of punishment – instead of deterrence by denial, entanglement, or norms – may deter some actors but not others.”[10] As state-led offensive cyber operations proliferate in a legal gray area without enforcement mechanisms to punish bad behavior, there is a significant concern that defensive deterrence measures (especially denial through cyber hygiene, defense and resilience) fall short against major states. An intelligence or military agency of a tier 1 cyber power is likely to penetrate most defenses with the right resources, but the combination of threat of punishment and effective defense can influence their calculations of costs and benefits. This is illustrated by the new US doctrine of “persistent engagement” that is designed to not only thwart adversary cyber operations by continuously anticipating and exploiting their vulnerabilities, but also to reinforce deterrence by raising the costs for adversaries (for example by denying their ability to exploit US vulnerabilities through operations that support resiliency, defending forward, contesting and countering to achieve strategic advantage).[11] However, this doctrine runs the risk of undermining allies’ trust and confidence and may cause diplomatic friction when the US decides to operate through the networks of its allies – something that could be easily exploited by common adversaries. Furthermore, it could pose a danger of escalation if interstate relations, especially the lines of communication, are poor.[12] Ultimately, each deterrent mechanism should not be seen as individual stand-alone components, but as complementary approaches to affect actors’ perceptions of the costs and benefits of actions.

States disclosing offensive cyber capabilities to enhance transparency

The lack of transparency in presumed force deployment, and even the method of operation or intended effects, make the task of assessing a state’s intentions, capabilities, and activities difficult. States are left guessing the overall capability of another state (albeit at widely varying degrees of detail) without, for the most part, being able to detail the exact order of battle, table of equipment, tactics, techniques, procedures or other basic information – unless the intelligence assessment is very complete.[13]

In their joint statement before the US Senate Armed Services Committee in 2017, the US Director of National Security and Director of the NSA and the US Cyber Command issued a warning that thirty countries are developing offensive cyberattack capabilities.[14] More recently, an increasing amount of states have disclosed that they have offensive cyber capabilities. Appendix A of this research paper includes a sample of official statements that represent states’ first disclosure offensive cyber capabilities. While this trend may be interpreted by some as an escalatory step towards the militarization of cyberspace, a more nuanced interpretation could describe it as a transparency measure. The motivation behind this decision can therefore be seen as a necessary first step towards more transparency (and predictability) in the context of offensive cyber operations.

Capacity

Assessing Cyber Spending

Government funding aimed to enhance cybersecurity can be perceived as either heightening or reducing the threat level in this environment, depending on whether the spending is directed toward defensive or offensive measures. In order to clarify this, a distinction is made in the trend table (Table 1) between ‘cyber military spending’, which includes both offensive and defensive capabilities, and ‘national cybersecurity and counter cybercrime spending’, which is purely defensive. Our analysis of open-source documents and budgets shows current government spending in both categories from eight countries (Table 2 and Table 3).[15] Though clear figures on government spending in this domain are extremely difficult to discern, from this analysis it can be deducted that government spending for both cybersecurity and cyber military capabilities is increasing. This claim is evidenced by the sheer lack of budgetary information for cyber capabilities available for the years between 2009 and 2017, compared to the large sums reported in recent years. This trend does not come as a surprise and is emblematic of the cyber domain’s exponential rise in prevalence, which government cyber-related spending is simultaneously a symptom of, and a cause for.

Table 2
Whole-of-Government Cybersecurity

Country

Annual Budget (latest available year)

United States[16]

€ 7,028,300,000

2019

United Kingdom[17]

€ 194,000,000

2019[18]

Germany[19]

€ 135,452,000

2019

Netherlands[20]

€ 61,000,000

2019

Canada[21]

€ 67,800,000

2019

In response to growing awareness of the damage caused by cyberattacks, governments are dedicating more resources to cybersecurity in order to protect their ICT systems (Table 2). The United States remains at the forefront of cybersecurity spending, while countries such as France and the UK have followed suit by dedicating significant amounts of funding towards cybersecurity capabilities. The rise in investment toward defensive measures is also indicated by the creation of dedicated agencies and departments that focus on cybersecurity. Recently created agencies such as the Agency for Innovation in Cybersecurity in Germany highlight that cybersecurity competences are increasingly centralized in specific sectors of the government, and receive separate funding accordingly.

Table 3
Cyber Military Spending

Country

Annual Budget (latest available year)

United States[22]

€ 7,150,000,000

2019

United Kingdom[23]

€ 152,500,000

2019[24]

France[25]

€ 228,600,000

2019

Australia[26]

€ 518,500,000

2019

Denmark[27]

€ 312,600,000

2019

As a reflection of the increase in states disclosing offensive cyber capabilities, cyber military spending is also rising. The US leads this trend, with significant portions of the 2019 annual budget of 7.15 billion euros being allocated to the US Cyber Command.[28] Under both the Obama and Trump administrations, efforts have been undertaken to expand the capabilities of the US Cyber Command, for example through an increase in personnel, a greater operational mandate, and enhanced technical capabilities.[29] Although overall military spending is significantly lower in the other examined countries, their investments into offensive cyber capabilities relative to previous years is indicative of the efforts undertaken by the respective governments to further develop the cyber capabilities of their armed forces.

Activities

Conflicts between states are taking new forms, and cyber operations are playing an increasingly important role. These operations aim to infringe on the availability and integrity of data and ICT systems through what can be described as a Computer Network Attack (CNA).[30] This can be accomplished through denial of service or destructive malware insertion and other means. It often equally requires espionage or intelligence activity – i.e. the ability to violate the confidentiality of data. This precursor, formerly known as Computer Network Exploitation (CNE), includes capabilities known as Intelligence, Cyber Espionage, Surveillance and Reconnaissance (ISR) and Operational Preparation of the Environment (OPE).[31] Indeed, the capability of states to inflict kinetic-effect harm in cyberspace requires to various extents the ability to conduct intelligence operations. However, the exact nature of these attacks is ubiquitous. While some cyber capabilities are reserved for the battlefield and are at least somewhat defined, other capabilities are less clear.[32] The lack of clarity on exactly what capabilities exist in cyberspace, means that it is very difficult to describe comprehensively what the “means” (delivery systems or weapons) are.

Cyberspace provides states a veil of anonymity to engage in malign cyber activity in order to achieve strategic and operational gains. Across the spectrum of cyberspace we see that states are more openly engaging in cyberattacks against their adversaries, including cyber espionage (a form of CNE), CNA, and disinformation campaigns.[33] While attribution remains difficult to assign, targeted states are increasingly naming and shaming malign actors.[34]

Cyber Espionage

A recent rise in reported cyber espionage can be observed over a ten year period (See Figure 1).[35] Specifically, China has been engaged in intellectual property and advanced military technology theft following a recent short hiatus.[36] The short hiatus can be attributed to US diplomatic efforts, such as the agreement between President Obama and President Xi,[37] the indictments of five People Liberation Army officers and Chinese businessman Su Bin,[38] the threat of sanctions,[39] but also the growing sophistication and re-organization of the Chinese forces.[40] Subsequent to the election of President Trump, and a significant deterioration of the relationship between Washington and Beijing due to rising political and economic tensions, Chinese cyber espionage is again on the rise.[41] This trend reflects recent reports by cybersecurity companies which have registered an increased number of attacks by Chinese hackers against US companies, as well as indictments by the US Justice Department against three Chinese nationals in November 2017.[42]

Figure 1
Reported Instances of Cyber Espionage (2008 - 2018)
Reported Instances of Cyber Espionage (2008 - 2018)

Source: Council on Foreign Relations “Cyber Operations Tracker”. Cyber Espionage is a form of Computer Network Exploitation (CNE).

Computer Network Attacks

Similarly, Computer Network Attacks (CNA) are increasingly prevalent, as indicated by a rise in significant cyber incidents between 2008 and 2018 (see Figure 2).[43] Denial of service, DNS campaigns, malware attacks, phishing, and ransomware attacks seek to damage, destroy, or disrupt computers and/or computer operations,[44] which directly or indirectly negatively impacts states.[45] Notable CNA attacks include Stuxnet (2010), attacks against the Ukrainian power grid (2015), and WannaCry (2017).[46]

Figure 2
Reported Instances of Computer Network Attacks (CNA) (2008 - 2018)
Reported Instances of Computer Network Attacks (CNA) (2008 - 2018)

Source: Center for Strategic and Interntional Studies (CSIS) “Significant Cyber Incidents” Category “Hacking” includes all entries that were too general in nature to be classified into one of the other categories.

Disinformation Campaigns

Cyber-enabled disinformation campaigns are likely on the rise, however due to insufficient data for the last decade, a final determination cannot be made on this issue (Figure 3 shows data only for pro-Kremlin disinformation cases over the last four years). Nonetheless, recent reports highlight how states are engaging in comprehensive disinformation campaigns to influence public perception and erode trust in democratic systems.[47] A recent development in this regard is the rise of “Deepfakes”, i.e., hyper-realistic, difficult-to-debunk fake videos, which may have significant impact in shaping public opinion on a respective issue.[48] However, a simultaneous rise in efforts to counter disinformation campaigns is visible among European countries, especially in light of the impact these campaigns can have in times of elections.[49]

Figure 3
Reported Cases of pro-Kremlin Disinformation (2015 - 2019)

Source: The East Stratcom Task Force “The Disinformation Review” (via EUvsDisinfo)

International Order in Cyberspace

Setting Rules of the Road

Attempts to regulate these activities in cyberspace have taken place on the intergovernmental level, to varying degrees of success. In 1998, Russia introduced a resolution on information and telecommunications technology in the context of international security to the United Nations General Assembly.[50] This represented the first time that the topic of cybersecurity was to be addressed under the auspices of the United Nations. Since 1998 the UN Secretary-General has submitted regular reports to the General Assembly on the views of Member states on the issue. Various other developments have unfolded within the UN context in the meantime, including a proposal of several states for an international “code of conduct for information security” in 2011.[51] Whilst a majority of the Member states decided that a treaty was not a viable option, they have instead focused on setting out on a path of norm development.

The Application of International Law

Table 4
Assessment of Norms and Rules in Cyberspace
Assessment of Norms and Rules in Cyberspace

* Norms are voluntary, legally non-binding commitments, that reflect a common standard of acceptable and proscribed behaviour, accompanying and expanding on existing legal understanding rather than attempting to craft new law. It is too early to identify long term trends for norm adherence in the field of international security in cyberspace as the norm-setting process in this space is relatively new – 11 norms were introduced by the United Nations Group of Governmental Experts in de Field of information and Telecommunications in the Context of International Security (GGE) in 2013 and 2015. This pulse therefore depicts norm adoption, the degree to which political norms are embedded in (inter)national policies and regulation, and their impact on the international order.

Whilst it has become a settled principle that international law applies in cyberspace,[52] it is sometimes unclear when and, more specifically, how existing international law is to be interpreted and applied. In 2013 the United Nations Group of Governmental Experts in the field of ICT (GGE), the main vehicle within the UN First Committee that deals with international security and disarmament in cyberspace, declared that international law is “applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment.”[53] Despite this, recent events have shown a worrying trend whereby state and non-state actors alike are engaging in behavior that threatens the stability of cyberspace, partly due to both the prevalence of legal gray areas, and to the uncertainties stemming from the multistakeholder nature of the domain.

Multilateral Norm-Setting

Establishing finely-delineated legal responsibilities for the various regimes in cyberspace is often not possible. Indeed, legal agreements have proven to be too difficult and time-consuming given the definitional and ideological differences between East and West. Therefore, the 2013 GGE report instead focused on the development of norms[54] - voluntary, legally non-binding commitments that reflect a common standard of acceptable and proscribed behavior, accompanying and expanding on existing legal understandings rather than attempting to craft new law. Further means of promoting common understandings mentioned in the GGE Reports include the application of confidence building measures - technical or practical measures that aim to enhance transparency, communication and trust between actors. Although the GGE Reports of 2013 & 2015 constitute important steps towards multilateral consensus on the issue, the contemporary view is that the divergent views of states are becoming more prominent and the schisms are widening. This was compounded by the fact that the last GGE in 2017 failed to reach consensus in their report, reflecting slow progress in multilateral fora on how international rules should be interpreted in the context of cyberspace. The UN First Committee is now split across two competing processes: an Open-Ended Working Group (Russian proposal) and a GGE (led by the US).[55]

Multilateral Stagnation and Multi-stakeholder Acceleration

The ability of governments to successfully manage the threat of major conflict in cyberspace is not only hampered by the rapid development of digital technologies and the difficulties in attribution, but also the dominant role of non-state actors in all shapes and forms (attacker, victim, media or carrier of attacks), as well as their unclear relationships with the government. Traditionally all questions related to international peace and security occur within the governmental remit of states and the UN First Committee, whilst in reality governments only constitute one of three stakeholder groups in the wider cyberspace ecosystem. It is a domain that is largely run by the private sector, which owns and runs most of its digital and physical assets, and civil society, which is largely responsible for coding and running the global Internet functions. This may lead to ambiguity in the application of international law and appropriate responses. Take for example the situation of a ‘hack-back’ - offensive cyber operations by non-state actors, who often justify their actions in the name of “self-defense,” as states do not have the capacity to adequately protect them against cyber threats.[56] Because of the significant disruptive and damaging effects hack-backs might have, including for third parties, it may trigger complex international legal disputes and escalations. Only recently have several proposals sought to curtail hack-backs - most notably the Global Commission on the Stability of Cyberspace (GCSC) norm against offensive cyber operations by non-state actors,[57] and the Paris Call on Trust and Security in Cyberspace.[58] At the same time, such “active cyber defense” by the private sector would already be unlawful in most states, while in other states it may not be prohibited or may even be reconsidered as a lawful tool.[59]

Failure to reach meaningful progress at the multilateral level has led other stakeholders to take the reins and become more involved in developing rules of the road. This is not the first time that this has occurred - nongovernmental groups have previously helped reshape global discussions on responsible behavior and introduced new norms for unprecedented international problems.[60] In contrast, however, the technological issues involved in governing cyberspace are complex and the rapid pace of change calls for a more collaborative approach than ever before. Private institutions have therefore also become engaged in developing policies that affect the markets and industries over which they preside, sometimes on their own initiative and sometimes in partnership with governments or civil society organizations.[61] Similarly, academia and the technical community have contributed by substantiating policy with more concrete or practical guidelines and solutions.[62] It remains to be seen however just how successful proposals of non-state actors such as these will be in limiting malicious cyber operations, and whether they will achieve the crucial step of convincing state actors to adopt, implement and eventually enforce these rules of the road. Conflicting stances of states on how and when to implement rules, and the current inability to assess acceptance of normative initiatives therefore account for the indicators relating to offensive cyber operations in the table above (Table 4).

Protecting Critical (Internet) Infrastructure

The relative success that norms can have in creating common ground amongst stakeholders is illustrated by the protection of the public core of the Internet. Responses to threats against the core Internet protocols and functions have required the cooperation of states, the private sector and civil society groups, as the Internet is privately-owned and the infrastructure underpinning it governed and maintained by a community made up of individuals and civil society groups.[63] While the idea of protecting the core Internet functions has a longer history, the notion only recently became the subject of various norm proposals, most notably of the GCSC[64] and the Internet Society Mutually Agreed Norms of Routing Security.[65] The proposal of the GCSC has since been accepted and adopted by several institutions, including its inclusion in the Paris Call for Trust and Security in Cyberspace[66] and its adoption into law through the EU Cybersecurity Act.[67]

Another positive development is the degree to which state and non-state actors are taking measures to protect their critical infrastructure. Critical infrastructure can be defined as “systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”[68] Recent events concerning national power grids as well as the extent to which automated systems are integrated with each other has led to fears that these systems may be susceptible to Offensive Cyber Operations. Various efforts at the multilateral, regional and national levels have aimed to address the issue of critical infrastructure protection, amongst them the GGE Report of 2015 which repeatedly emphasized the need to protect critical infrastructure and their associated information systems from ICT threats.[69] The United States Executive Order 13800[70] was aimed at improving the nation’s cyber posture and capabilities in the face of intensifying cybersecurity threats, whereas the National Institute of Standards and Technology also issued a report for improving critical infrastructure cybersecurity.[71] The European Union has been undertaking its own efforts in this area,[72] and the OSCE identified critical infrastructure protection as an important issue in its confidence building measures and other decisions.[73]

Civil society groups have extended this debate by focusing on elements of critical infrastructure that require specific attention, such as calling for the protection of the technical infrastructure that supports elections and plebiscites.[74] Nothing reflects genuine political independence more than national participatory processes, such as elections. Whilst the UN Charter sought to grant strong protections against undue external interference, those protective measures have now come to be challenged again in the digital age - voting system instruments and software may be vulnerable to attacks, whilst voter registration data is collected on a vast scale and published online.[75] Elections and participatory processes should be carried out in accordance with national laws, but cyber operations originating from outside a state’s jurisdiction may necessitate a coordinated response. Norms such as these build upon and re-affirm international legal protections already afforded against external interference in the internal affairs of states, whilst calling for a commitment from governments as a modest first step towards effective multilateral cooperation. The relevant success of the norms of the GCSC as well as regional initiatives and national laws are evidence of the general positive trends in awareness and acceptance of norms and rules in cyberspace.

Conclusion: Building Bridges Between Multilateralism and Multistakeholderism

This paper has examined trends relevant to conflict in cyberspace by delving into the intentions, capabilities and activities of states in this critical domain. The primary takeaway is that conflict in cyberspace is intensifying, and is likely to continue to do so. The rise in reported cyber espionage (Figure 1) and Computer Network Attacks (Figure 2), as well as the indication that disinformation campaigns are proliferating, is leading states to regard threats emanating from cyberspace as a crucial security concern, which in turn contributes to an escalation of tensions between states and an increase in cyber military spending (Table 3). However, this dire outlook is at least partially counterbalanced by an increase in resources allocated to national cybersecurity (Table 2), positive developments in the involvement of non-state stakeholders in the norm-setting process, and the increased acceptance of norms and rules in cyberspace (Table 4).

The development of norms in cyberspace have followed conceptual discussions about the rights and responsibilities of actors. The problematic trends highlighted in the first section of this report cannot be solved by states alone, but with all stakeholders working together cooperatively. Due to the shared responsibility in cyberspace between the various regimes, both state and non-state norms can and do overlap. One of the challenges of agreeing on norms of behavior in cyberspace is that norms and CBMs are sometimes formulated by one set of actors but expected to be executed by another. This requires that the actor groups, regimes, and initiatives fully recognize each other’s mandate or legitimacy.

For these initiatives to work, however, the relevant stakeholder groups must come together to ensure that the solutions are as effective as they can be whilst avoiding overlaps, with the primary objective of creating coherence between these initiatives. Whilst the international peace and security field within cybersecurity is moving towards acceptance and adoption of norms, there remains a greater need to take stock of the various initiatives, push for implementation and enforcement or follow up on compliance. Attitudes change and so do understandings and acceptance towards certain types of behavior, though usually this happens over an extended period of time. For the status quo to move from norm development to adoption and adherence, stakeholders need to stand behind the norms which they feel are important both in words and in actions. Only once viable pathways for carrying those norms forward are identified will it become possible to assess norm adherence.

Appendix A: States’ First Disclosure of Offensive Cyber Capabilities (non-exhaustive)

Actor

Document

Excerpt

United States

November 2006

The National Military Strategy for Cyberspace Operations

“Operations in cyberspace are a critical aspect of our military operations around the globe. The enclosed NMS-CO is the product of significant reflection and debate within our military and government. It describes the cyberspace domain, articulates threats and vulnerabilities in cyberspace, and provides a strategic framework for action. The NMS-CO is the US Armed Forces' comprehensive strategic approach for using cyberspace operations to assure US military strategic superiority in the domain. The integration of offensive and defensive cyberspace operations, coupled with the skill and knowledge of our people, is fundamental to this approach.” (p. vii)

United States

February 2013

Joint Publication 3 12: Cyberspace Operations

“The successful execution of CO requires the integrated and synchronized employment of offensive, defensive, and DODIN operations, underpinned by effective and timely operational preparation of the environment. CO missions are categorized as offensive cyberspace operations (OCO), defensive cyberspace operations (DCO), and DODIN based on their intent.” (p. vii)

France

June 2008

Secrétariat général de la défense et de la sécurité nationale, Défense et Sécurité nationale: Le Livre Blanc

“En outre, dans la mesure où le cyberespace est devenu un nouveau champ d’action dans lequel se déroulent déjà des opérations militaires, la France devra développer une capacité de lutte dans cet espace. Des règles d’engagement appropriées, tenant compte des considérations juridiques liées à ce nouveau milieu, devront être élaborées.” (p. 53)

 

[Translation: In addition, as cyberspace has become a new field of action in which military operations are already taking place, France will have to develop a fighting capacity in this area. Appropriate rules of engagement, taking into account legal considerations related to this new environment, will need to be developed.]

United Kingdom

June 2009

Cyber Security Strategy of the United Kingdom

“There is an ongoing and broad debate regarding what ‘cyber warfare’ might entail, but it is a point of consensus that with a growing dependence upon cyber space, the defence and exploitation of information systems are increasingly important issues for national security. We recognise the need to develop military and civil capabilities, both nationally and with allies, to ensure we can defend against attack, and take steps against adversaries where necessary.” (p. 14)

 

“Exploiting opportunities in cyber space covers the full range of possible actions that the UK might need to take in cyber space in order to support cyber security and wider national security policy aims; for example, in countering terrorism and in combating serious organised crime.” (p. 15)

Japan

May 2010

Information Security Strategy for Protecting the Nation 2010

“In order to reinforce the measures against malware infections, maintain and improve counteractive capabilities against information security incidents and strengthen the information security measures taken by individuals on their PCs by promoting security awareness.” (p. 13)

 

“Reinforcement of policies taking account of possible outbreaks of cyber attacks and establishment of a counteractive organization To protect the nation from any cyber attacks that may risk the national security and prompt crisis management, the general mode of readiness must be reinforced and an organization to efficiently counteract any such cyber attacks must be established.” (p. 2)

Switzerland

June 2012

National strategy for Switzerland’s protection against cyber risks

“Crisis Management – Active measures to identify the perpetrator and possible impairment of its infrastructure in the event of a specific threat.” (p. 4)

 

“As a matter of fact, there can be no absolute protection against cyber attacks, hence a functioning collaboration of reactive and preventive capabilities are pivotal in order to minimise risks, limit damage and re-establish the initial state of operation of an attacked system.” (p. 10)

India

2013

Technology Perspective and Capability Roadmap

“In the battlefield milieu, information, its integration and conversion into real-time actionable intelligence shall provide the battle winning edge to a Commander. We also need to exploit the electromagnetic spectrum to safeguard own combat systems, intercept and decipher the adversary’s information systems in a time bound manner. In addition, we must have the capability to prevent an attack or contain it and affect swift recovery, while at the same time have the ability to target adversary’s critical infrastructure and military capabilities. 9. The strategic forces need to be facilitated/ supported by real-time information. These will include satellites that produce sub metric resolution and backed up by UAVs with great staying power in the area of interest.”

Brazil

November 2014

Doutrina Militar de Defesa Cibernética

“Defesa Cibernética - conjunto de ações ofensivas, defensivas e exploratórias, realizadas no Espaço Cibernético, no contexto de um planejamento nacional de nível estratégico, coordenado e integrado pelo Ministério da Defesa, com as finalidades de proteger os sistemas de informação de interesse da Defesa Nacional, obter dados para a produção de conhecimento de Inteligência e comprometer os sistemas de informação do oponente.” (p. 18)“Possibilidades da Defesa Cibernética 2.5.1 São possibilidades da Defesa Cibernética: a) atuar no Espaço Cibernético, por meio de ações ofensivas, defensivas e exploratórias” (p. 21)

 

[Translation: “Cyber Defense - a set of offensive, defensive and exploratory actions carried out in the Cyber Space, in the context of a national level strategic planning, coordinated and integrated by the Ministry of Defense, with the purpose of protecting information systems of interest to National Defense, obtain data for the production of Intelligence knowledge and compromise the information systems of the opponent.

They are possibilities of the Cyber Defense: a) to act in the Cyberspace, by means of offensive, defensive and exploratory actions;”

Poland

January 2015

Cybersecurity doctrine of the Republic of Poland 2015

- operational and support subsystems - capable of independently running defensive (protective and defense) and offensive cyber operations, as well as providing and receiving support as part of allied operations. (Point 7, p. 9)

Netherlands

February 2015

 

Previous:

National Cyber Security Strategy (NCSS) 2011, no mention of offensive capabilities

Defensie Cyber Strategie, Brief van de Minister van Defensie

Door de komende jaren actief aan deze speerpunten te werken, wil Defensie de verdere versterking van haar digitale middelen maximaal ondersteunen. De speerpunten voor de verdere versterking van de digitale middelen van Defensie betreffen:

5. de digitale weerbaarheid van Defensie;

6. het inlichtingenvermogen van Defensie in het digitale domein;

7. de ontwikkeling en de inzet van cybercapaciteiten als integraal onderdeel van het militaire optreden (defensief, offensief en inlichtingen). (p. 3)

 

[Translation: “By actively working on these spearheads in the coming years, the Ministry of Defense wants to provide maximum support for the further strengthening of its digital resources. The spearheads for the further strengthening of Defense's digital resources are:

5. the digital resilience of Defense;

6. the intelligence capacity of Defense in the digital domain;

7. the development and deployment of cyber capabilities as an integral part of military action (defensive, offensive and intelligence).”]

Israel

August 2015

Israel Defense Force (IDF) Strategy

(Unofficial English translation by the Harvard Belfer Center)

“Cyberspace is another area of combat. Defense, intelligence collection, and assault activities will be carried out in this space. Building the IDF’s force in this sphere will be based on these actions: A. Establish a cyber arm that will constitute the main HQ subordinate to the Chief of the General Staff to operate and build the IDF’s cyber capabilities and will be responsible for planning and implementing combat in cyberspace.”

Australia

April 2016

Australia’s Cyber Security Strategy 2016

“Australia’s defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack.” (p. 28)

Germany

November 2016

National Cyber Security Strategy Germany 2016

 

Previous:

2011 Cyber Security Strategy, no mention of offensive capabilities

“Cyber-Verteidigung umfasst die in der Bundeswehr im Rahmen ihres verfassungsmäßigen Auftrages und dem völkerrechtlichen Rahmen vor- handenen defensiven und offensiven Fähigkeiten zum Wirken im Cyber-Raum” (p. 46)

 

[Translation: “Cyber-Defense includes the defensive and offensive abilities to work in cyberspace in the Bundeswehr within the framework of its constitutional mandate and international legal framework"]

United Kingdom

November 2016

National Cyber Security Strategy 2016 - 2021

 

Previous:

2011 Cyber Security Strategy, no mention of offensive cyber capabilities

"We will have the means to respond to cyber attacks in the same way as
we respond to any other attack, using whichever capability is most appropriate, including an offensive cyber capability.” (p. 10)

 

“Offensive cyber capabilities involve deliberate intrusions into opponents’ systems or networks, with the intention of causing damage, disruption or destruction. Offensive cyber forms part of the full spectrum of capabilities we will develop to deter adversaries and to deny them opportunities to attack us, in both cyberspace and the physical sphere. Through our National Offensive Cyber Programme (NOCP), we have a dedicated capability to act in cyberspace and we will commit the resources to develop and improve this capability.” (p. 65)

China

December 2016

National Cyberspace Security Strategy

二、目标

  以总体国家安全观为指导,贯彻落实创新、协调、绿色、开放、共享的发展理念,增强风险意识和危机意识,统筹国内国际两个大局,统筹发展安全两件大事,积极防御、有效应对,推进网络空间和平、安全、开放、合作、有序,维护国家主权、安全、发展利益,实现建设网络强国的战略目标。

 

[Translation: “Guided by the overall national security concept, we will implement the development concept of innovation, coordination, green, openness, and sharing, enhance risk awareness and crisis awareness, coordinate the two major domestic and international situations, and coordinate the development of two major events, actively defending and responding effectively.”]

Canada

2017

Strong, Secure, Engaged - Canada’s Defence Policy

 

Previous:

2010 Cyber Security Strategy Strategy, no mention of offensive capabilities

“To better leverage cyber capabilities in support of military operations, the Defence team will:

- Develop active cyber capabilities and employ them against potential adversaries in support of government-authorized military missions.” (Initiative 88, p.73)

South Africa

March 2017

Department of Defence Annual Performance Plan for 2017

“During the FY2016/17 the DOD has developed a comprehensive departmental Cyber Warfare Strategy aligned with the national policy regarding South Africa’s posture and capabilities related to offensive information warfare actions.” (p. 6-7)

Switzerland

November 2017

 

Previous:

2011 National strategy for Switzerland’s protection against cyber risks, no mention of offensive capabilities

Plan d’action Cyberdefense DDPS (PACD)

“Chaque opérateur d'infras-tructure critique est respon-sable de sa défense. Le SRC (Service de renseignement de la Confédération) peut prêter assistance en cas de cyberattaque (au besoin avec des contre-mesures offensives). Si les conditions sont remplies, l'armée peut (subsidiairement) l’appuyer.” (p. 8)

 

“Le DDPS est responsable de sa propre défense (au besoin avec des contre-mesures offensives).” (p. 8)

 

[Translation: "Each critical infrastructure operator is responsible for his defense. The SRC (Confederation Intelligence Service) can provide assistance in case of cyber attack (if necessary with offensive countermeasures). If the conditions are met, the army may (in the alternative) support it.”

 

The DDPS is responsible for its own defense (if necessary with offensive countermeasures).]

New Zealand

July 2018

Strategic Defense Policy Statement

“To maintain relevant combat capabilities, including interoperability with close partners, into the future the Defense Force needs to be able to conduct a broader range of cyber operations. This would provide military commanders with a broader set of tools to achieve military objectives and respond to activities that threaten both New Zealand security and the safety of Defense Force personnel.”

Sweden

May 2019

The Swedish Defence Commission’s white book on Sweden’s Security Policy and the Development of the Military Defence 2021-2025

“Sweden is one of the most digitised countries in the world. The Defence Commission concludes that Sweden has to take proper precautions in the information and cyber security field and develop the capability to act defensively and offensively in the cyber domain. The Defence Commission takes the view that the Swedish Armed Forces should be tasked to contribute to the comprehensive cyber defence in the total defence. Beyond protecting their own systems, the Swedish Armed Forces will be responsible for offensive cyber defence capabilities in the total defence.” (p. 7)

Denmark

Published February 2019, stated 1/7/2018

Danish Ministry of Defence - Offensive Cyber Effects

“Denmark has since 2016 contributed to NATO’s cyber defence and in 2018 it was announced that Denmark can also contribute to NATO operations with effects from the offensive cyber capability. Employment of offensive cyber capabilities in a military operation will take place under the command of the Chief of Defence.” (p. 1)

Malaysia

2010

Malaysia’s National Defence Policy

“The development of a cyber-warfare capability is an important step towards counterbalancing the ability of other countries in the region and to defend important national targets from all forms of threats. It is important to stop any form of encroachment into national defence’s computer systems and networks. Concurrently, it also provides the room for developing offensive capabilities for conducting cyber- operations when necessary.” (p. 13)

Appendix B: Timeline of Major Cyber Incidents 2009-2019

Notes

With contributions from Alexander Klimburg, Tim Sweijs and Koen van Wijk.
Louk Faesen and Bianca Torossian, “Global Security Pulse June 2019: Conflict In Cyberspace” (The Hague Centre for Strategic Studies, July 2, 2019), link.
The analysis of activities in cyberspace also includes actions that are not directly linked to states. For example, the analysis of Computer Network Attacks is based on reported instances against a government agency, but the data also includes attacks against defense companies and high tech companies, as well as economic crimes with a loss of more than a million US dollars. Therefore, although not every data point corresponds directly to a state actor, these events still have an economic and/or security impact on states.
High Representative of The Union for Foreign Affairs and Security Policy, “Joint Communication to The European Parliament, The European Council, The Council, The European Economic and Social Committee and The Committee of The Regions: Report on the Implementation of the Action Plan Against Disinformation” (European External Action Service, June 14, 2019), 3, link.
Brian Krebs, “A Deep Dive on the Recent Widespread DNS Hijacking Attacks,” Krebs on Security (blog), February 18, 2019, link.
Lorand Laskai and Adam Segal, “A New Old Threat: Countering the Return of Chinese Industrial Cyber Espionage,” Digital and Cyberspace Policy Program (Council on Foreign Relations, December 6, 2018), link.
Cyberspace is managed by stakeholders from civil society, the private sector, and, to a lesser degree, by governments. See Alexander Klimburg and Louk Faesen, “A Balance of Power in Cyberspace | HCSS,” European Cybersecurity Journal 3, no. 4 (2018), link.
Louk Faesen and Bianca Torossian, “Global Security Pulse June 2019: Conflict In Cyberspace” (The Hague Centre for Strategic Studies, July 2, 2019), link.
See for example Daniel R. Coats, “Worldwide Threat Assessment of the US Intelligence Community” (Senate Select Committee on Intelligence, January 29, 2019), link. This risk is echoed in the recently Draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (7823/2/17 REV 2): “The EU is concerned about the increased ability and willingness of state and non-state actors to pursue their objectives by undertaking malicious cyber activities of varying in scope, scale, duration, intensity, complexity, sophistication and impact.”
For more information initiatives see the “International Order in Cyberspace” section below.
Joseph S. Nye, “Deterrence in Cyberspace,” Project Syndicate, June 3, 2019, link.
United States of America Department of Defense, “Cyber Strategy” (U.S. DoD, 2018), link; President of the United States of America, “National Security Strategy of the United States of America” (The White House, 2017), link.
Max Smeets, “Cyber Command’s Strategy Risks Friction With Allies,” Lawfare (blog), May 28, 2019, link.
Klimburg and Faesen, “A Balance of Power in Cyberspace | HCSS.”
James R. Clapper, Marcel Lettre, and Michael S. Rogers, “Joint Statement for the Record to the Senate Armed Services Committee Foreign Cyber Threats to the United States” (U.S. Senate Armed Services Committee, January 5, 2017), link.
This report used only publicly available sources and data, preventing it from giving absolute numbers and findings. Determining cybersecurity spending is challenging because: (i) of the lack of consistent reporting; (ii) the absence of a unified definitions, which makes it difficult to delineate which costs are specifically attributed to cybersecurity per se; (iii) cybersecurity is increasingly evolving into the integral part of government operations – rather than being a separate unit costs; (iv) collecting and mapping the data of ICT and cybersecurity investments is generally complicated as cybersecurity is mostly approached qualitatively, and not primarily from a cost perspective.
This figure is the total cybersecurity budget minus budget allocated to the Department of Defense. This was then converted to EUR using the average exchange rate for 2019 and rounded to the nearest 100,000. Office of Management and Budget, “Cybersecurity Funding,” in Analytical Perspectives-Budget of the U.S. Government, FY 2020 (U.S. Government Publishing Office, 2019), 306, link.
This is all spending on the National Cyber Security Programme, minus 44%. This 44% was spent on ‘deter’ during the 2016-2019 period (as opposed to ‘defend’, ‘develop’ and ‘international’, see page 29 of the abovementioned document). Arguably, the spending under the ‘deter’ header can be considered military expenses. Roughly 42% of the total budget was used for the creation of the National Cyber Security Centre (NCSC) which operates under GCHQ.This figure was then converted to euro using the average exchange rate for 2019 and rounded to the nearest 100,000. National Audit Office, “Progress of the 2016–2021 National Cyber Security Programme,” March 15, 2019, 22, link.
The UK budget is announced in October, meaning that the data represented here applies to the fiscal year 2018-2019.
This figure is the annual budget for the Bundesamt für Sicherheit in der Informationstechnik, the German non-military cybersecurity agency. Bundesministerium der Finanzen, “Einzelplan 06 Bundesministerium des Innern, für Bau und Heimat,” in Bundeshaushalt 2019, 2018, 175, link.
This figure comprises the total civil budget for cybersecurity, which contained an initially planned 26 million and an additional 35 million. The budget was used by the Ministries of Justice and Security, Internal Affairs, Foreign Affairs, Economic Affairs and Climate, and Infrastructure. Tweede Kamer der Staten Generaal, “Miljoenennota 2019 Bijlagen,” September 18, 2018, 349, link.
This figure comprises the total cybersecurity budget in the 2019 national budget “to support Canada’s first comprehensive National Cyber Security Strategy and to establish the Canadian Centre for Cyber Security”. Total is CAD 507.7 million for 5 years, equaling CAD 101.54 million per year. The average exchange rate CAD-EUR for 2019 was used and the result rounded to the nearest 100,000 to produce this number. Department of Finance Government of Canada, “Budget 2019: Chapter 4,” February 27, 2018, link.
This figure is the cybersecurity budget specified for the Department of Defense. This was then converted to EUR using the average exchange rate for 2019 and rounded to the nearest 100,000. Office of Management and Budget, “Cybersecurity Funding,” 306.
This figure is 44% of spending on the National Cyber Security Programme for 2019. This 44% is part of the ‘deter’ category, which is arguably the military aspect of the Programme. Roughly 42% of the total budget was used for the creation of the National Cyber Security Centre (NCSC) which operates under GCHQ. This figure was then converted to euro using the average exchange rate for 2019 and rounded to the nearest 100,000. National Audit Office, “Progress of the 2016–2021 National Cyber Security Programme,” 22.
The UK budget is announced in October, meaning that the data represented here applies to the fiscal year 2018-2019.
This figure was part of a draft military planning law for the seven-year period 2019-2025, in which a total of 1,6 billion Euros was allocated to the cyber domain. Ministère des Armées, “Draft Military Planning Law 2019-2025,” February 2018, 4, link.
This is the total defence budget listed for “Foreign Signals Intelligence, Cyber Security and Offensive Cyber Operations”. The figure was converted to Euro using the average conversion rate for 2019 and rounded to the nearest 100,000. Australian Government Department of Defence, “Budget 2019-2020,” 2019, 157, link.
This figure represents the total of 1,4 billion DKK allocated over the period 2018-2023 divided by 6 to produce a yearly average. This number was then converted to Euro using the average conversion rate for 2019 and rounded to the nearest 100,000. Over the 6 year period, 10 million DKK will be set aside for research and education. Additionally 500 million DKK “will be set aside over the agreement period for further initiatives, including research and education”. Danish Government, “Danish Defence Agreement 2018-2023,” January 28, 2019, 9–10, link.
“The agency is executing on a fiscal year budget of about $610 million in 2019” Lauren C. Williams, “Cyber Command Looks to Expand,” FCW, February 14, 2019, link.
Jim Garamone and Lisa Ferdinando, “DoD Initiates Process to Elevate U.S. Cyber Command to Unified Combata,” U.S. Department of Defense, August 18, 2017, link.
Committee on National Security Systems (CNSS), “Committee on National Security Systems (CNSS) ‘Computer Network Attack (CNA),’” in Glossary (Computer Security Resource Center, 2015), link.
Kim Zetter, “Hacker Lexicon: What Are CNE and CNA?,” WIRED, June 7, 2016, link; Bruce Schneier, “Computer Network Exploitation vs. Computer Network Attack,” Schneier on Security (blog), March 10, 2014, link.
See “Cyberspace and Electronic Warfare Operations” (U.S. Army, April 2017), link; “Cyber Electromagnetic Activities” (U.S. Army, February 2014), link; “Cyberspace Operations” (U.S. Joint Chiefs of Staff, June 8, 2018), link; “Information Operations” (U.S. Joint Chiefs of Staff, November 20, 2014), link.
See Appendix B of this report: ‘Timeline of Major Cyber Incidents 2007-2019’
See for example Foreign & Commonwealth Office and National Cyber Security Centre, “Press Release: UK Exposes Russian Cyber Attacks,” GOV.UK, October 4, 2018, link.
Due to the clandestine nature of cyber espionage, this data is limited in the degree to which it adequately captures all cyber espionage as it occurs. This data reflects reported cyber espionage, but as actors are increasingly sophisticated in their activities, cyber espionage often remains undetected.
David E. Sanger and Steven Lee Myers, “After a Hiatus, China Accelerates Cyberspying Efforts to Obtain U.S. Technology,” The New York Times, November 29, 2018, sec. U.S., link.
See The White House, “FACT SHEET: President Xi Jinping’s State Visit to the United States,” whitehouse.gov, September 25, 2015, link.
For more information, please visit The U.S. Department of Justice Summary of the indictments. link
Ellen Nakashima, “U.S. Developing Sanctions against China over Cyberthefts,” Washington Post, August 30, 2015, sec. National Security, link.
During the hiatus China undertook a restructuring of the PLA, including a consolidation of control over PLA cyber units through the creation of the Strategic Support Force (the PLA’s space, cyber, and electronic warfare arm). See Laskai and Segal, “A New Old Threat.”
Laskai and Segal, n. 11.
Ibid, Laskai note 11
The Center for Strategic and International Studies (CSIS) logs “significant cyber attacks” since 2006. Events are included in this list (read: significance) on the basis of whether the attack was against a government agency, defense company or high tech company, or was an economic crime with a loss of more than a million US dollars. Events were coded and categorized by HCSS, and then included in the analysis depending on the Type of Incident. link.
Zetter, “Hacker Lexicon: What Are CNE and CNA?”
The analysis of Computer Network Attacks (Figure 2) is based on reported instances of CNA against a government agency, but the data also includes attacks against defense companies and high tech companies, as well as economic crimes with a loss of more than a million US dollars. Therefore, although not every data point corresponds directly to a state actor, these events still have an economic and/or security impact on states.
See Appendix B of this report: ‘Timeline of Major Cyber Incidents 2007-2019’
Kanzanira Thorington, “Europe’s Elections: The Fight Against Disinformation,” Council on Foreign Relations (blog), May 23, 2019, link.
Robert Chesney and Danielle K. Citron, “Disinformation on Steroids: The Threat of Deep Fakes,” Digital and Cyberspace Policy Program (Council on Foreign Relations, October 16, 2018), link.
Daniel Funke and Daniela Flamini, “A Guide to Anti-Misinformation Actions around the World,” Poynter, 2018, link.
UN General Assembly, “United Nations General Assembly Resolution 53/70” (United Nations, January 4, 1999), link.
For a more complete overview of normative developments within the United Nations, see Tim Maurer, “Cyber Norm Emergence at the United Nations - an Analysis of the UN’s Activities Regarding Cyber Security” (Harvard Kennedy School Belfer Center for Science and International Affairs, September 2011), link.
See the speech of Harold Koh, the former legal advisor to the United States Department of State, outlining the position of the United States in this regard. Harold H. Koh, “International Law in Cyberspace” (September 18, 2012), //2009-2017.state.gov/s/l/releases/remarks/197924.htm.
United Nations Group of Governmental Experts, “Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security A/68/98” (United Nations General Assembly, June 24, 2013), sec. 19, linksymbol=A/68/98; See also United Nations Group of Governmental Experts, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security A/70/174” (United Nations General Assembly, July 22, 2015), linksymbol=A/70/174.
United Nations Group of Governmental Experts, “Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security A/68/98,” n. 34.
United Nations General Assembly, “Advancing Responsible State Behaviour in Cyberspace in the Context of International Security A/RES/73/266” (United Nations, December 22, 2018), link; United Nations General Assembly, “Developments in the Field of Information and Telecommunications in the Context of International Security A/RES/73/27” (United Nations, December 5, 2018), link.
Offensive cyber operations by non-state actors - or active cyber defense as it has more commonly become known - should be understood as a set of measures ranging from self defense on the victim’s network to destructive activity on the attacker’s network. Offensive operations within this continuum imply for the defender to act out-side of its own network independently of its intention (offense or defense) and the legal qualification of its acts. For a discussion on offensive cyber operations, including the contextual and legal reasoning behind the capacity of States to take measures to protect non-State actors, see the Global Commission on the Stability of Cyberspace Norm Against Offensive Cyber Operations by Non-State Actors and Additional Note to the Norm link.
Global Commission on the Stability of Cyberspace, “Norm against Offensive Cyber Operations by Non-State Actors,” in Norm Package Singapore, 2018, 18, link.
Ministry for Europe and Foreign Affairs of France, “Paris Call for Trust and Security in Cyberspace,” November 12, 2018, link.
See for example the Active Cyber Defense Certainty Act introduced in the US House of Representatives in 2017 that would allow private sector hack back. Tom Graves, “Active Cyber Defense Certainty Act,” Pub. L. No. H.R. 3270 (2019), link.
For instance, The Brundtland Commission created norms for Sustainable Development. A Carnegie Commission on Preventing Deadly Conflict led to the International Commission on Intervention and state Sovereignty and a commitment by all UN member states on the duty to prevent and protect against war crimes, genocide, ethnic cleansing and other crimes against humanity. The Ilves Commission helped set the framework for the NetMundial Initiative. The Brandt and Palme Commissions represented important steps both in development and disarmament, respectively.
Policy initiatives of private organizations include Microsoft’s calls for a Digital Geneva Convention, Digital Peace Now campaign and various norm proposals, the Siemens Charter of Trust, the Cybersecurity Tech Accord and the World Summit on the Information Society (WSIS) Coalition. Perhaps the most prominent example of collaborative initiatives between governments, private institutions and civil society organizations would be the Netmundial conference, whereas other examples would include the Internet Governance Forum and the recently-launched Paris Peace Forum which led to the Paris Call for Trust and Security in Cyberspace. 
Guidelines and best practices can help develop a culture of security. National policies on information and network security are based on a multidisciplinary and multistakeholder approach. A culture of security cannot arise just out of technical solutions - a comprehensive approach is needed that addresses socio-economic and legal considerations, and governments must therefore interact and engage with private and civil society actors. See Working Party on Information Security and Privacy, “The Promotion of a Culture of Security for Information Systems and Networks in OECD Countries” (Organisation for Economic Co-operation and Development, December 16, 2005), 7, link.
A number of states openly insist that states should play a key role in governing Internet policy and the Internet’s critical resources. Other states believe that efforts should be made to maintain what is generally referred to as the “multi-stakeholder model” of Internet governance, defined often as “a form of participatory and diverse form of governance”, and try to keep discussions on Internet governance separate from discussions on international peace and security. See United Nations, “Cyberspace and International Peace and Security - Responding to Complexity in the 21st Century” (United Nations Institute for Disarmament Research (UNIDIR), 2017), link.
“Call to Protect the Public Core of the Internet” (The Global Commission on the Stability of Cyberspace (GCSC), 2017), link; “Definition of the Public Core” (The Global Commission on the Stability of Cyberspace (GCSC), 2018), link.
See “Mutually Agreed Norms for Routing Security (MANRS) for Network Operators (ISP) and for Internet Exchange Points (IXP),” Internet Society (blog), accessed September 4, 2019, link; See also “Routing Security for Policymakers - An Internet Society White Paper” (The Internet Society, October 2018), link.
“Routing Security for Policymakers - An Internet Society White Paper,” n. 21.
The European Parliament and The Council of the European Union, “Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No 526/2013 (Cybersecurity Act)” (Official Journal of the European Union, April 17, 2019), link.
It has also been defined as “assets or systems which are vital for the maintenance of societal functions, health, safety, security, economic or social well-being of people.” in “EU Council Directive 2008/114/EC of 8 December 2008 on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve Their Protection” (Official Journal of the European Union, December 8, 2008), link; James F. Sensenbrenner, “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT),” Pub. L. No. H.R.3162 (2001), link.
United Nations Group of Governmental Experts, “Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security A/70/174,” n. 34.
“Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” The White House, May 11, 2017, link.
“Framework for Improving Critical Infrastructure Cybersecurity” (National Institute of Standards and Technology, April 16, 2018), link.
The European Union Program for Critical Infrastructure Protection (EPCIP) sets the overall framework for activities aimed at improving the protection of critical infrastructure in Europe - across all EU states and in all relevant sectors of economic activity. See “Communication from the Commission on a European Union Program for Critical Infrastructure Protection” (European Union Commission, December 12, 2006), link.
“Initial Set of OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies, Decision No. 1106” (Organization for Security and Co-operation in Europe (OSCE), 2013), sec. 3, link; See also “Protecting Critical Energy Infrastructure from Terrorist Attack, Decision No. 6/07” (Organization for Security and Co-operation in Europe (OSCE), 2007), link; “Good Practices Guide on Non-Nuclear Critical Energy Infrastructure Protection (NNCEIP) from Terrorist Attacks Focusing on Threats Emanating from Cyberspace” (Organization for Security and Co-operation in Europe (OSCE), 2013), link.
“Call to Protect the Electoral Infrastructure” (The Global Commission on the Stability of Cyberspace (GCSC), 2018), link.
“Call to Protect the Electoral Infrastructure.”