Discussions at the UN have revealed that “implementation is currently one of our biggest challenges”. Specifically, states are conscious of the need to translate non-military cyber confidence-building measures (CBMs) into concrete actions that are implementable by all states, thus moving beyond awareness-raising. This is especially the case where CBMs are viewed by bodies such as the EU as a practical means of preventing conflicts. What next steps must then be taken?
A question that is still being asked is “why the UN”? The first pre-draft UN OEWG report highlights the importance of UN discussions on CBM implementation, given the limited membership of the regional bodies (such as the OSCE, ARF, OAS, EU, AU, SCO) and the fact that not all regional organisations have cyber CBMs in place. It goes without saying, however, that each of the multi-level efforts to drive progress and promote cyber CBM implementation has its own value.
The EU and its member states do, for instance, see the value in the suggested UN OEWG initiative to establish a mechanism to share best practices on CBMs, as long as it is in coordination with regional and sub-regional bodies and does not prejudice the further development and implementation of CBMs at other levels.
Today as in the past, multi-level CBM efforts are clearly vital. There is certainly also value in more dialogue, more information exchanges, more scenario-based exercises and possibly even more joint projects. Meanwhile, UN OEWG suggestions for near-term initiatives, such as a global repository of national points of contact, must draw lessons from specific substantive as well as operational regional good practices.
CBMs and Modern Conflict Prevention
Broadly speaking, traditional CBMs can be adapted for questions related to ICTs. Tailored cyber CBMs fill an especially important gap where it is not currently certain if or how traditional arms control theories apply effectively to cyber capabilities/ICTs, and whether these theories appropriately address the unique characteristics of cyberspace and ICTs. There are a number of unique aspects associated with state use of ICT tools, tactics and techniques (and, notably, military use of a number of other emerging technologies) as compared to traditional domains. Modern risk reduction mechanisms associated with cyber, digital and emerging strategic technologies must still be developed to tackle this rather unique problem set globally.
Relatedly, as part of Germany’s presidency of the European Union, the German Federal Foreign Office organised a conference in November to explore these questions, aptly framed as “rethinking arms control”. In other words, how can the international community tackle the impact of new technologies such as developments in AI/machine learning, quantum computing, biotechnologies, missile technologies, cyber and outer space? Where do the linkages among these new technologies intersect so much so that these individual technologies cannot be addressed individually? And, notably, what is Europe’s future role in such arms control?
The good news is that existing efforts to understand the implications of ICTs/cyber, to reduce risks related to them and to maximise the beneficial military and non-military uses of these dual-use technologies are arguably viewed as a forerunner, possibly even paving the way for other future risk reduction endeavours. In other words, these UN cyber negotiations matter far beyond “cyber” alone. The not-so-good news is that a number of serious challenges and unanswered questions still remain, showing us that other approaches must still be created for new arms control and risk reduction options.
A first key problem is that technologies (cyber, digital and emerging tech) can be difficult to see or to count, which means that, in comparison to conventional weaponry, it is difficult to assess states’ technological capabilities. The verification problem – a key aspect within conventional thinking surrounding compliance with and effectiveness of traditional arms control provisions – remains unsolved. This remains true even where there is ongoing analysis surrounding whether technological breakthroughs may also present new opportunities for establishing novel verification tools to address the particular arms control challenges presented by new technologies.
A second challenge to global efforts to implement cyber confidence- and trust-building measures is the growing number of active state actors as well as non-state actors (such as criminals or terrorist groups either expressing an interest in or actively using cyber-related capabilities that were traditionally the preserve of states). This adds complexity in comparison to many conventional disarmament/arms control areas generally involving only a small set of primarily state actors. Moreover, intelligence agencies have flagged concerns about the higher risks of misattribution and misdirected responses by both governments and the private sector, where the growing use of publicly and commercially available cyber tools increase the volume of unattributed cyber activity globally.
A third well-known difficulty arises from the heightened potential for confusion when states are assessing the intentions behind another state’s cyber activities. The already-blurred lines between heretofore unregulated state cyber espionage activity and state use of offensive (or defensive) cyber tools, tactics and techniques could become even more blurred – and potentially destabilising in ways it may not have been before. Unprecedentedly high levels of cyber-enabled espionage, combined with hybrid cyber-related grey zone activity, are taking place alongside trade warfare and downward-spiralling geo-economics trends such as technological decoupling. And these activities are all taking place within, and as part of, a highly strained geostrategic global environment where multilateralism is under threat. Even with a global pandemic and historically high global reliance on ICTs, the global security environment continues to deteriorate. Collaboration is increasingly difficult as countries turn inwards – competing hard for advantage – and the international community is failing at producing solutions to global problems such as cyber insecurity.
This creates an even more complex environment with high escalatory risks. For these reasons, developing, implementing and complying with concrete trust- and confidence-building measures is both more difficult and more vital than before. Might it be possible then that – in addition to pre-existing UN GGE cyber norms – further behavioural measures of restraint for these broadly cyber-enabled activities and disruptive strategic technologies could be agreed given the gravity of the risk to strategic and international stability as well as the nuclear balance? (As an aside: last year a norm was proposed prohibiting cyber attacks on nuclear weapons facilities to augment existing norms on critical infrastructure protection. However, there is no certainty that appropriate solutions will be found, or agreed to, solely – if at all – through UN cyber negotiations.)
The UN processes certainly have their hands full: both global and regional negotiations on cyber CBM implementation could be unduly hampered by today’s geopolitical environment. Somewhat paradoxically, cyber CBMs are intended to alleviate and deconflict high-pressure situations to avoid escalation and unintended conflict, but they will be rather difficult to implement in this political environment that is not conducive to cooperation. In other words, authentic political commitment to these conflict prevention processes is a precondition to their effectiveness in reducing mistrust: CBMs should not only increase transparency through information exchange, but also facilitate crisis cooperation and incentivise restraint.
The confluence of all these factors shows just how important the pursuit of effective cyber CBMs will continue to be in the coming years. It is also why, in the lead up to the UN GGE and UN OEWG negotiations, we recommended (as part of the UN GGE regional consultations) that more resources should be invested towards mechanisms that address the root problems of this mistrust. Little did we know then that the ensuing global pandemic would make matters even worse.
Breaking New Ground
Exploring innovative risk reduction mechanisms would not only be in the major powers’ self-interest but also in the self-interest of many other small and medium powers globally, including EU member states that pursue and value multilateralism and a stable geostrategic environment. Some analysts even go so far as to suggest that unilateral actions – including self-restraint – have a critical role to play in risk reduction where, in their view, agreements are unlikely for some dual-use technologies. Remember the Obama administration’s 2015 agreement with China to refrain from cyber-enabled theft of IP at a time when relations were becoming poorer? The agreement both broke new ground and had a positive ripple effect globally. What, then, is the straw that will break the camel’s back this time? In relation to behavioural change, what can a new Biden administration agree on bilaterally with Russia and China, as well as trilaterally?
In the meantime, it is fair to argue that there is little interest in allowing great power rivalry and mistrust to hinder progress, and middle powers could even step into this void and show their “creative leadership”. While it is broadly unlikely that limits will be placed on most of these technologies, the conversation can continue to focus on behavioural approaches that can be strengthened to promote responsible state behaviour – by drawing upon but also “by thinking outside our traditional box of arms control concepts and instruments“. There is also due recognition in the latest UN OEWG pre-draft report that “all stakeholders have a responsibility to use ICTs in a manner that does not endanger peace and security”. This begs the question: what, then, are effective multi-stakeholder solutions to arms control and risk reduction for dual-use cyber, digital and critical tech?
Practical Pathways for Cyber CBM Implementation
Circling back to current UN processes, a significant fourth problem to be addressed in regional and UN confidence-building efforts is how to take into account, within these cyber CBM endeavours, the speed of technological change and rapidly evolving technological complexity. This is especially critical where rapid change brought about by ICTs and new technologies does not necessarily suit an inherently longer policymaking process. Even where these frameworks are argued to be technology neutral, additional cyber CBMs might need to be adopted to cater to new technological realities, such as military uses of AI for increasingly automated or autonomous decision-making or cybersecurity purposes. How do those cyber CBMs that are already agreed-upon at the UN level or among regional groups hold up to new technological realities – do they need to be tweaked or adapted?
This means that an effective implementation of cyber CBMs is particularly essential where gaps in strategic understanding and predictability related to novel technological developments might arise quickly, thus bringing about destabilising factors. Cyber CBMs must certainly keep pace with technological developments such as the pursuit of increasing automation and autonomy in ICT operations. This is the case despite an open question about “whether each institutional silo should deal with the challenges posed by AI separately or whether the situation calls for a separate and dedicated process“. For now, the potential risks associated with increasingly autonomous cyber operations are recognised within the Chair’s summary of last December’s informal multi-stakeholder consultative meeting for the UN OEWG .
Lastly, these cyber CBMs specifically aim to reduce risk in the urgent short to medium term, while there is still a vacuum surrounding state behaviour. CBMs are a prerequisite for the success of these negotiations, especially where they can act as practical tools to enable the implementation of the UN GGE norms globally. Some of the language relating to certain cyber CBMs somewhat mirrors the language on “norms, rules and principles” for responsible state behaviour. In this case, additional CBMs might be required in future if and where additional norms are developed over time given the unique attributes of ICTs. Experience in this field also reveals the enabling aspects of capacity building to be highly important, helping, for instance, to ensure that states with lower capacity are not perceived to be evasive when they cannot implement or comply with CBMs.
The evolving behavioural approaches for states’ cyber activities are paving a pathway of examples for future risk reduction approaches. However, many more constructive solutions to unresolved questions are still required. By beginning to collectively ask the right questions, hopefully states and other stakeholders can also identify the right answers.
About the Author
Caitríona Heinl is Executive Director at The Azure Forum for Contemporary Security Strategy, Ireland and Adjunct Research Fellow at the School of Politics and International Relations at University College Dublin (UCD). Caitríona has over a decade of experience in international and Irish research and academic environments working on transnational crime, international security and defence questions with particular focus on cybersecurity policy, emerging technologies, and regional security.