Cybersecurity is a complex concept. It essentially consists of the two terms ‘cyber’ and ‘security’, both of which are highly context-dependent. Cyber has its roots in the ancient Greek verb ‘kybereo’, which can be translated as to guide, steer, control, or govern. In the second half of the 20th century the emergence of ‘Cybernetics‘ has paved the way for automated process management, which is closely related to the development of information technology systems. From the 1950s onward, the adoption of cybernetics as a sort of meta-ideology has had considerable impact on global politics during the ‘Cold War’; while the Soviets hesitated to develop computers and decentralized information networks, the West has made this an essential element of economic and political hegemony. In that sense, there is an immediate connection between the cyber-domain and security.
While cybersecurity has many dimensions, for the sake of simplification it can be broken down in three areas:
- cybercrime; which is targeting individuals with malicious intent, through either cyber-dependent or cyber-enabled methods.
- cyberespionage; which is targeting private or public institutions to access classified information, trade secrets or intellectual property.
- cyberwarfare; which is the attack on a state population and infrastructure by units that are either controlled or tolerated by another government.
While these three categories have become increasingly relevant and blended over the last decades, the dependency on reliable information technology throughout the COVID-19 pandemic has made cybersecurity a top priority for political decision-makers in the United States and Europe. Nevertheless, it is unlikely that the issue of security in the digital domain will be solved with more funding and resources alone. If we want cyberspace to be a place for peaceful and sustainable cooperation, we need to frame its governance differently.
Cyberspace is increasingly dangerous
The recent ransomware attack on the Colonial pipeline – the biggest in the United States, responsible for about 15 percent of the national oil supply – is just the most recent high-profile example demonstrating how connected and vulnerable critical infrastructure has become. While the pipeline restored operation on 13 May, the outage quickly resulted in a rise of gasoline prices, panic buying in affected regions, as well as closures of thousands of gas stations. Colonial paid DarkSide – the group allegedly responsible for the attack – 4.4 million US-Dollar in Bitcoin to restore operation. Similarly, over the last year hospitals, universities and water supply infrastructure have been attacked, with fatal consequences in the worst cases. Perhaps unsurprisingly, international organizations such as Interpol and Europol report a stark rise of the malicious use of cyberspace during COVID-19.
Attack versus Defense
This short summary paints a bleak picture, but the perspectives going forward are even more worrisome: permanently connected public and private infrastructure (‘Smart City’, ‘Industry 4.0’), autonomous vehicles and continuing digital transformation will only increase the importance of this policy area. Security experts such as Bruce Schneier repeatedly highlight the necessity of ‘smart’ regulations to address the challenges. At the same time, the established culture and social dynamics are exacerbating risks: services and systems are developed taking out ‘technical debt’, which is prioritising short term (economic) gain over long-term interests such as security and privacy. Additionally, groups such as DarkSide benefit from public announcements that highlight flaws in their systems: they improve their attack strategies immediately, before potential victims are able to repair compromised systems or prevent future attacks. Finally, the exploration and sale of security vulnerabilities has become a viable business model for some companies.
Nobody talks about ‘Cyberpeace’
This obsession with offensive and defensive capabilities is striking since it provides insight on the underlying motivation: while it seems perfectly acceptable that the cyber-domain has become the canvas for spectacular battle paintings, no political actor seems to feel the desire – or responsibility – to mandate a change of the genre. Such change certainly does not fit the narrative of the ‘four internets’, where ‘openness is a vulnerability that can be exploited for misinformation or hacking, an opportunity taken by Russia, Iran and North Korea, among others.’ One might question whether it is actually helpful to constantly stigmatize certain nations as villains. This practice is at odds with the idea of the internet as a (more) universal space, that is primarily dedicated to cooperation, collaboration and information exchange. At the same time, through increasing political and societal polarization it helps to build the momentum for the spiral of cyber-conflict, which is also catalyzed by the attack versus defense dynamic outlined. In order to be able to move into a different direction where decision-makers choose the route of cooperation over conflict, different governance strategies are required. This is where it could be useful to think about the achievement of cyberpeace as an overarching objective that goes beyond cybersecurity.
What is in the Regulatory Toolbox?
At the moment, Cyberpeace is mainly a topic for some civil society groups (e.g. FIfF, Cyberpeace Foundation). On a political level the concept surfaced briefly in September 2015 during the visit of Chinese President Xi Jinping to the United States. In an agreement that was immediately met with suspicion by some, the American and Chinese leaders agreed to stop cyberespionage, which would protect business and government secrets. It is currently unclear how relevant this initiative remains, especially since the relationship between the two parties has become much more difficult over the last years.
Most probably, the route towards cyberpeace requires incremental steps. One fundamental element is a (more) shared understanding of central concepts such as legitimate purposes and objectives of governmental surveillance, privacy, or more detailed standards for cybersecurity. Currently, there seems to be some momentum for enhanced transatlantic cooperation between the US and EU on cybersecurity standards. While multilateral attempts to establish such a broader understanding have so far failed on the level of the United Nations, other international organizations such as the Council of Europe have ongoing initiatives that are in principle open to countries all over the globe. For instance, the organization is currently working on a second additional protocol in time for the 20th anniversary of the Convention on Cybercrime in November 2021, which is also known as the ‘Budapest Convention’.
International Standards: Obviously necessary, not realistic
On the one hand, it is clear that safe and trustworthy digital infrastructure will become more important in the coming years and that we are currently not able to deliver it. On the other hand, political decision-makers have not come to the conclusion that the security requirement is more important than the capability to carry out attacks. A good example to illustrate this contradictory position is the current discussion on encryption in the European Union. When it comes to protection against potential surveillance of United States security services, ‘robust encryption’ combined with legal agreements is required as a way to keep international data transfers private and secure. At the same time, the ministers of EU member states are thinking about ways to mandate the weakening of encryption to facilitate their own investigations. Perhaps this example highlights why reframing the discussion around cybersecurity might be useful: thinking beyond and towards cyberpeace could be useful in identifying and defining the objectives to strive towards, while putting the means that serve short-term interests of stakeholders in the background.
The Israel Public Policy Institute (IPPI) serves as a platform for exchange of ideas, knowledge and research among policy experts, researchers, and scholars. The opinions expressed in the publications on the IPPI website are solely that of the authors and do not necessarily reflect the views of IPPI.