Why wait for the elusive tipping point in cyber?

Whilst the world’s focus has been on traditional hotspots such as North Korea and Syria, there have been some major developments that are equally a cause for concern in the cyber domain. The poisoning of a Russian double agent in the United Kingdom led to reports that the British government was considering the use of cyber weapons in response. That, in turn, led to a warning by Russia that it would retaliate in kind. In the event, the United Kingdom finally responded through that traditional expression of state displeasure, expulsion of diplomats.

The public articulation by an important state that it is considering a cyber-attack as part of a menu of options in response to the alleged actions of another important country is a major escalation at many levels. It is also indicative of the fact that the militarisation of cyberspace is gathering pace, and that efforts have to be redoubled to ensure that cyberspace continues to be used for peaceful purposes. Here, it is important to note that, to all intents and purposes, militarisation and peaceful use are mutually incompatible given the blurred boundaries in cyberspace and the fact that virtually all software and code can be configured for both good and bad purposes.

These developments in the UK-Russia relationship have come amidst a rising crescendo of concern on the future of rules of the road for cyberspace ever since the collapse of the United Nations Group of Governmental Experts (UNGGE) process in June 2017. The call for paying renewed attention to securing cyberspace has been made in recent months in various fora ranging from the private-sector led World Economic Forum (WEF) to the annual gathering of security experts, the Munich Security Conference. The WEF’s Global Risks Report 2018 identified cybersecurity threats as one of the top five global risks and, in keeping with the new found focus on cybersecurity, has set up a Global Centre for Cybersecurity, expected to be launched in March in Geneva. At the Munich Security Conference, the UN Secretary General described the current scenario as one of “episodes of cyberwar between states” and “a permanent violation of cybersecurity”. The fact remains that all this amounts to nothing more than hand-wringing until states become sufficiently enthused to work together on establishing regulatory frameworks, be it in the form of treaties or binding norms.

International initiatives have largely been in limbo due to a number of factors, including the demise of the UNGGE and the disinterest of the Trump Administration in international engagement on cyberspace, reflected in the closure of the office of the US Cyber Co-ordinator’s office in the State Department and its merger into the Bureau of Economic and Business Affairs. Though the number of fora and commissions discussing cybersecurity keep proliferating, they have largely lost their relevance as bodies that could flesh out and build on the recommendations of UNGGEs or provide fresh out-of-the-box thinking for official bodies to consider and take forward. Further, they are also seen as too closely aligned with Western interests to have the credibility required to be taken seriously by all countries. Private sector initiatives such as the Digital Geneva Convention, while evoking considerable interest, have not gained traction for similar reasons.

Going forward, while many states still see utility in evolving norms, the focus seems to have shifted from negotiating norms with adversaries to shaping norms by like-minded countries, which sets the stage for norm competition in cyberspace. The shift in US policy to bilateral engagement on cyber issues and the general confusion among the ranks of those promoting an open and global Internet has given further impetus to those countries that push the alternative vision of a closed internet. Here, it is notable that the annual World Internet Conference that China held in December 2017 to promote its vision of a closed Internet under the guise of cyber sovereignty saw the largest participation yet from top internet companies including the CEOs of Apple and Google.

These developments could result in a further entrenchment of the rival country positions and the eventual fragmentation of cyberspace. There is still a case to be made for an open, secure, stable and global cyberspace, especially for developing countries that are only now beginning to enjoy the fruits of digitalisation. But they neither have the heft nor the internal and external capacities to make their voice count in cyberspace.

At the Global Conference on Cyber Space held in New Delhi in November 2017, the chair of the last UNGGE, Karsten Geier, listed a number of alternatives to the UNGGE process, along with their pros and cons. These included: 1) an International Cyber Disarmament Commission or a forum similar to the existing Conference on Disarmament, and 2) an open-ended working group or a smaller committee nominated by the UN General Assembly. He was of the opinion that the first option would be too focused on arms control and would only consider a limited number of issues, wryly noting that the Conference on Disarmament was yet to come up with a work programme in the 20 years of its existence. But at the same time open-ended working groups also had a less-than-stellar record. His suggestion of a small committee is ironic considering that India had proposed exactly such a committee in 2011 only to be opposed by the Western countries.

Whilst Geier was less than enthused about reviving the UNGGE process, considering its failure, it would seem that the UNGGE process is the least bad option to keep open channels and maintain continued focus on securing cyberspace. After all, the very first UNGGE set up to examine the issue of information security in 2004 had also been unable to arrive at a consensus. But that had not come in the way of the success of the UNGGEs that followed. Even if successive GGEs have been rightly criticised for their snail-like progress on cyber-norms, they performed a valuable role as an apex forum whose reports were both touchstones and milestones in forging global consensus on securing cyberspace. For this reason alone, the GGE process should be resurrected, learning from the successes and failures of past GGEs.

Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.