Cyber Security: A new chapter for arms control

Cyber has become, after land, sea, air and outer space, the fifth theater of international conflicts . The most notable episodes of an international use of cyber as a weapon were an attack in 2007 which swamped the websites of Estonia and,in 2010, the use of the “Stuxnet” virus against the Iranian Uranium enrichment unit. More recently, the dispute over Russian interferences during the US presidential campaign confirmed that the cyber world, though providing innumerable benefits, is a double edged sword and a potential instrument to destabilize international peace and security.

From a normative standpoint, the international community is not well equipped to address this new situation and its peculiarities which can hardly be compared to those of other types of armament :

– the offensive use of cyber creates an enormous problem of attribution of responsibilty

– cyber operators, even when belonging to the military, cannot be assimilated to the concept of “combatants” as foreseen by humanitarian laws

– no v blood is being shed and no immediate human sufferings, civilian or military, are caused by their use. This makes them less visible and relevant

– there is an ideological divide between countries for which cyber is a destabilizing instrument of free information and others which view it as an expression of freedomand are mainly concerned about potential threats to their critical infrastructures and military assets

– the verification and transparency aspects of any international deal on cyber would be complicated and unreliable.

Many countries have been prompt to militarize their cyber activities by establishing ad hoc command structures for defensive and offensive purposes. They have not been as swift to seek new norms to prevent an arms race.

NATO must be credited for publishing ,soon after the cyber attack against Estonia, the Tallin Manual, a text which contains a selection of the already existing international norms applicable to cyber warfare.This includes the prohibition of the use or threat of use of force and the principle that cyber weapons can only be used for self defense. It also stresses the equivalence between a cyber attack and a cinetic attack. However the Tallin Manual is not a legally binding text (not even for NATO) and identifying already existing legislation applicable to cyber warfare can only be a first step towards a more advanced process. Some cyber specific efforts have been made in this direction:

At the national level some countries or groups of countries have established a domestic discipline on cyber activities.The US and the UK adopted their respective Cyber Security strategies in 2011. The European Union 2016 global security strategy contains a short chapter on the subject.

At the bilateral level Russia and China finalized a cyber security pact in 2015. In the same year, the US White House published a fact sheet on the visit of the Chinese President containing a chapter dedicated to cyber security bilateral cooperation.

At a regional level, in December 2013, the Organization on Security and Cooperation in Europe (OSCE) introduced a set of confidence building measures dealing with communication and information sharing, programmes and strategies relevant to cyber security. A second set of CBMs aimed to reduce the risk of tensions arising from cyber activities was established in 2016. A possible additional effort,focusing on stability measures and responsible state behaviour is being considered.

At the multilateral, level the UN Secretary General established three successive Groups of Governmental Experts (GGE) focusing in particular on new confidence building measures tailored to cyber security.These include the principle that “States should not knowingly allow their territory to be used for internationally wrongful acts using ICT”. A number of UNGeneral Assembly resolutions have been approved and a draft code of conduct initiative, led by China and Russia, has also been tabled. Such measures are often preliminary steps of a process leading to the establishment of legally binding norms.

Recently the G7 heads of state and government endorsed a declaration drafted by experts titled “Promoting security and stability in cyberspace” which contemplates the establishment of new volutary measures to be achieved through a “multi-stakeholder approach” which would include both state and non state actors.

The momentum of all these initiatives must now be maintained and a more ambitious “bottom up” process must be adopted.

At the National level more countries should craft national legislation and transparent strategies on cyber security.More countries must also follow the example of China,Russia and the US in establishing bilateral cooperation on cyber security.

The measures adopted at the regional level by the OSCE and those suggested by the G7 group, both of a voluntary nature, should acquire a politically binding configuration. A future G7 text might be adopted and not merely “endorsed” by the leaders. An additional effort by the European Union to include cyber security in a revised version of its 2003 Non Proliferation strategy can be envisaged.

At the UN, the GGE approach should not be a substitute but rather a vehicle for achieving more advanced measures. Other measures at the UN might be considered such as: States to play a proactive role in prohibiting their territory from being used for wrongful cyber acts, the UN Office of Disarmament Affairs to establish a repository of national legislation and other relevant cyber security texts, reporting to the UN on such domestic norms and guidelines to be made mandatory.

Italy, which chairs the G7 group this year and will also preside over the OSCE in 2018, will bear a major responsibility in pursuing the cyber security discourse and in sponsoring a more ambitious approach at the national, bilateral, regional and multilateral level.Support, cooperation and active participation by governmental and non-governamental actors will facilitate this difficult task.

Carlo Trezza  former Ambassador of Italy to Korea and Permanent Representative for Disarmament and non Proliferation in Geneva.  Chairman of the Missile Technology Central Regime. Chairman of UN Secretary General Advisory Board on Disarmament