Geopolitics continues to override cyber norms, so what’s the alternative? – Rupture Defense Rupture Defense


Can the world come together and agree on cyberstandards of behavior? (Graphic by Breaking Defense. Original photos by AltumCode via Unsplash and Nataliya Vaitkevich via Pexels.)

With the proliferation of cyber technologies over the past two decades, governments and experts have struggled to try to come up with a set of behavioral standards. The problem, argues Laura G. Brent of the Center for a New American Security, is that cyberweapons have become part of the geopolitical strategies of governments around the world. In this new editorial, she offers some suggestions for making cyberspace, perhaps, a little less dangerous.

Whenever a new technology emerges as a national security issue, governments want to set standards for behavior. We see it with AI, with unmanned systems, with hypersonic technology – and we’ve seen it with cyberspace.

Setting standards can help. The process itself can have benefits: it forces governments to communicate and develop a better understanding of how different nations view difficult issues. When standards are agreed, even if they are voluntary and non-binding, they can make explicit what can be mutually beneficial for states.

Standards, however, will always be in trouble when they start to clash with the core interests of the nations involved. As cyberspace is now intrinsically linked to traditional geopolitical competitions and conflicts, i.e. to fundamental interests, standards can only modify behavior to a certain extent. But hope is not lost: once governments accept the limits of the political norms of cyberspace, then they can adapt to the messier reality of cyberspace today.

An excellent case study of the relevance and limitations of standards is NSO Group, an Israeli company that develops advanced cyber surveillance tools. NSO Group says it is on a “rescue mission”, with capabilities that are used by governments for legitimate security purposes, such as search and rescue efforts or disrupting terrorist plots.

But a large collaborative investigative journalism effort alleges the company’s technology has been subverted to spy on politicians, diplomats, activists and private citizens around the world. Apple called [PDF] he is an “amoral mercenary of the 21st century[y]a reporter called him “threat to democracyand a US senator claimed that his actions “violate human rights and threaten [US] national security. “”In early November, the US government effectively banned technology exports to the NSO Group, saying the group’s products enabled “transnational repression” that “threatened[s] rules-based international order.

Amid such criticism, the Israeli government imposed stricter rules on its industry; now NSO Group can easily do business with far fewer (and not authoritarian) countries. The decision was described as a “victory” for political cybernorms – standards of responsible state conduct in cyberspace that, for example, promote human rights. This understanding would make Israel, in order to return to the good graces of its democratic counterparts, feel compelled to curtail the most aggressive activities of its industry.

Reality: Not much has really changed. Israeli companies can still apply for permission to export IT tools to any country. Israel is, despite the strength and size of its cyber-sector, only one country; others, including democracies, can and will continue to sell similar cyberproducts (and surveillance is just one problem in cyberspace).

Norms were also quickly flouted. Even as it imposed tougher export controls, Israel reportedly battled Iran in cyberspace, with the two nations making each other civilian targets — the exact scenario the political standards are meant to rule out. And the national defense authorization law for fiscal year 2022 [PDF], recently signed by President Joe Biden, included a provision to strengthen collaboration on cybersecurity research and technology development between the United States and Israel – far from being the action of a democracy indicating a normative dissatisfaction.

The most ambitious standards perpetuate an idea of ​​cyberspace as a domain separate from traditional geopolitical realities and national interests. But behavior in cyberspace will not be better or different from behavior in other areas. Israeli leaders view Iran as an existential threat, so how could cyberspace norms ever be a fully effective constraint?

While governments should not abandon policy standards, they should focus on other tools that could also reduce harm in cyberspace. One of these tools: technical cyber standards.

While political standards are about lofty, long-term goals for responsible behavior in cyberspace, technical cyber standards are about more limited goals. They accept as a premise that offensive operations will take place, and they seek to define how such operations can be made safer. This requires a “certain intransigence and even cynicism”, as governments must negotiate with their adversaries to agree on mutually acceptable offensive cyber campaigns – for example, those that use tools that have undergone robust testing or incorporate limits to their ability to spread.

This approach is not new. Consider New START and the Treaty on the Non-Proliferation of Nuclear Weapons (NPT). Both accept the existence of nuclear weapons while recognizing the common interest in limiting, respectively, their number and their spread.

The implementation of technical standards will be difficult and complex, and there will be no traditional inspection as in the case of arms control agreements. But this effort is promising: it produces results that are more pragmatic and specific than political norms.

Another way to promote trustworthy behaviors is for states to intelligently tailor their response to malicious cyber activity based on the mechanics of an attack.

Take the SolarWinds and Microsoft Exchange Server compromises, attributed to Russia and China respectively. As Dmitri Alperovitch and Ian Ward wrote in March 2021, the SolarWinds compromise was “very targeted and even quite responsible”, as Russia ultimately only gained access to a useful small fraction of the networks it might have; China, however, has undertaken the “exceptionally reckless and dangerous tactic” of compromising every server it can – and doing so in such a way that others, from states to criminals or individuals, can benefit from this compromise.

The United States ultimately imposed heavier sanctions on Russia (public attribution, release of technical information, and new executive order) than on China (public attribution, release of technical information, and indictments associated with various malicious cyber campaigns), even if the more indiscriminate attack held greater operational and technical risk.

When deciding on an appropriate response, the United States must obviously consider more than the exact technical nature of each trade-off – geopolitics will always take the lead. But Washington should consider the specific technical methods in which it can implicitly or externally decide on its decisions on how to respond.

Governments also need to remember that they are not always the drivers of technology or policy; cyberspace, more than traditional domains, presents this problem. If Washington and others do not improve security in cyberspace, the industry will take more drastic measures. WhatsApp and Apple sued NSO Group for harm caused by its products to their users. Even if these cases fail – which, given their novel nature, is entirely possible – risks exist for governments if the private sector independently sets the conditions for cyberspace. The United States, with its technology companies operating around the world, would likely fear that its companies would be similarly sued in foreign jurisdictions.

The current state of cyberspace is grim. The economic impacts of malicious activity are increasing – in the first six months of 2021, filings of suspicious activity reports [PDF] ransomware-related payments totaled $590 million, nearly $175 million more than all of 2020. Business operations — from ports to meat processing to pipelines — have taken a hit. major disturbances. And a ransomware attack may even have resulted in death.

Governments should continue to press for commitments to act more responsibly in cyberspace. They must also recognize the limitations of these political norms so that they can set clearer, more enforceable, and more useful boundaries for activity in cyberspace.

If governments don’t consider more creative solutions, there’s not much hope that cyberspace will change – or at least not change for the better.

Laura G. Brent is a Senior Fellow in the Technology and National Security Program at the Center for a New American Security. She previously worked on cyber policy at NATO, in the US government and in the private sector.


Comments are closed.