Sara Seppanen is a third year War Studies student with a particular interest in intelligence studies
Since the turn of the century, the world has seen a steady increase in the amount of malicious operations being carried out in the virtual sphere known as cyberspace. Besides individual concerns of compromised rights to privacy, which entered the limelight after the Snowden leaks of 2013, cyberspace carries with it innumerable security risks for nations at large. National security and governmental agencies across the globe frequently observe, and occasionally experience, the harmful consequences generated by cyberattacks and cyberespionage. In order to tackle the pressing threats posed by malicious cyber activities, 27 states have united under the “Joint Statement on Advancing Responsible State Behavior in Cyberspace”. While reinforcing the idea of an international rules-based order, the statement urges cooperation on a voluntary basis to hold states accountable when they target critical infrastructure, undermine democracies or conduct industry espionage in the realm of cyberspace. In light of this normative framework, the aim of this article is two-fold; to firstly outline some of the threats to peace and security arising from malicious cyber operations, and secondly, to illustrate why norms fall short of minimising security risks.
In a national security context, the main concern associated with cyberattacks is not necessarily the immediate technical havoc created by malware, but rather the economic or political impact of such operations. While certain uses of viruses and spyware might yield very little monetary or intellectual profit for the perpetrator, other operations can have serious consequences for many different sectors and agencies, even at a global level. For example, the hacking of the European Central Bank’s website in December 2018 was an operation which left market-sensitive data uncompromised, essentially presenting no threat to the Eurozone’s wellbeing. Nonetheless, by taking a much closer look at the operations residing in the deep corners of cyberspace, it is possible to recognise their political and financial utility. The 2011 Night Dragon hackers, who targeted the global energy industry to extract sensitive information, is just one example of an espionage operation which can exploit vulnerabilities in private security systems to undercut global economic competition.
Although the link between peace and cyber operations might not make sense intuitively, the strategic opportunities of cyberspace can be more easily understood when related to the physical domain. In August 2019 a confidential UN report claimed that North Korea has used sophisticated cyberattacks directed at financial institutions worldwide to enhance its nuclear weapons programme with an estimated $2bn. Not only does the kinetic consequences of such malware primarily threaten the nation security for neighbouring states like South Korea, but they are also likely to heighten geopolitical tensions spanning the globe. As Thomas Rid emphasises, in his work Cyber War Will Not Take Place, the rise of sophisticated computer incursions poses significant risks and threats (p.8). This is especially applicable to cyberespionage, as when Red October utilised highly flexible malware to steal data and geopolitical intelligence from organisations like NATO and the EU. Clearly, the spread of this classified data could undermine the organisations’ cohesion and collective defence capabilities, especially if the malware leak would have gone undetected. Even more importantly, as technical evidence suggest that the Red October perpetrators had Russian-speaking origins, it is possible to imagine a scenario where NATO-Russian diplomatic relations deteriorate as a consequence of conspicuously hostile activities in the cyber domain. Adding this to an already volatile and festering geopolitical environment is bound to create significant uncertainties for stability and peace, especially amongst powerful states like the US, Russia and China.
As no single security measure can yield perfect protection from attacks or cyberespionage, 27 UN members have jointly initiated an international normative framework to prevent information theft and targeting of critical infrastructure. While the efforts to establish norms should be applauded for their peaceful intentions, the statement itself will have little effect on activities in cyberspace. Norms, regardless of how deeply rooted they are in the international community, are inhibited by the structures of cyberspace, where the inability to attribute responsibility will result in malicious activities being carried out in an anonymous vacuum. Arguably, this is especially true for secretive operations like cyberespionage, where the state or state-sponsored actor has a permanent interest to remain undetectable. While some operations can indeed be traced to certain regions based on technical evidence of digital fingerprints, states can often plausibly deny any allegations. For instance, experts have been able to deduce that the cyberattack platform Regin was supported by a nation-state, based on its complexity and cost, but there is nothing indicating a more exact identity. Thus, while the normative framework might be a welcomed move in the midst of Western isolationist trends, the idea to hold states accountable for their actions in cyberspace is significantly flawed. While ‘naming and shaming’ procedures of suspected perpetrators might disincentive further operations in light of soft power concerns, this is likely to do more harm than good. With no clear-cut evidence, finger pointing is bound to generate significant turbulence in an already volatile international arena. Furthermore, experience from the current nuclear world, where organisations like the Nuclear Threat Initiative work to prevent the spread of nuclear weapons through broad international agreements, suggests that norms single-handedly are unable to prevent activities serving the self-interests of states. It must, however, be acknowledged that the absence of norms regarding nuclear weapons would probably have left the world worse off. Potentially this is true for cyberspace as well, since closing the door on a Joint Statement would have sent harmful signals globally, namely that everything is acceptable since nothing is normatively prohibited.
Nonetheless, the greatest drawback of the Joint Statement for cyberspace is the fact that major cyber states like China and Russia are not part of it. Not only is the normative framework practically inefficient in cyberspace, but it does not present any ground-breaking initiative. Although it might be in the majority’s interest to develop cyber norms, the framework fails to include many of the most prominent, and for the West dangerous, actors. While optimists could overlook this flaw, arguing that the Joint Statement calls upon all states to support the evolving framework, hopes will quickly vanish as non-signatories continue to freely roam and abuse vulnerabilities in cyberspace. If Russia and China have not already signed the Statement, they are unlikely to join forces at the development stage. As the international community is far from establishing a Digital Geneva Convention, which comes with further problems of retaliation and punishment tools, capacity-building is pivotal. As fellow Chronis Kapalidis emphasises, preparedness and internal drills to test potential deficiencies is vital to minimise cyber risks. Arguably, this must be done at every level of society and with regard to various different functions and purposes. Ranging from phishing emails to file infections, the keys to minimise risks of cyberattacks and espionage is education and enhancement of defensive capabilities. Resilience and security is not created by high-level norm setting amongst selected nations, but through strengthened public-private partnerships and protection of critical infrastructure and classified information. Only by doing this, norms can become complementary tools which symbolically seek to restrain states’ malicious activities in cyberspace.
 Thomas Rid, Cyberwar Will Not Take Place (Hurst Publishers, 2013) p.8