This week the Group of Governmental Experts (GGE), as part of the United Nations, is meeting once again in what has become a regular reflection of current thought in the field of cyber security internationally. ‘Reflection’ is the perfect word to describe what the GGE does because it’s not clear to what purpose the group is moving. It might be a useful exercise to review what we know about cyber security at this point and why the GGE will fail to engage with the most pressing problems generated in and from cyberspace.
The first GGE on Information and Communications Technologies, or ICTs, met in 2004. Since then three other groupings have met with the general objective of examining existing and potential threats from the cyber sphere and possible cooperative measures to address them. Except for the first GGE, they aggregate reports that are presented to the General Assembly and make recommendations to other Member States. They are meant to be geographically diverse, although they tend to lack significant representation from the global South. It takes its mandate from resolutions passed by the General Assembly, but it’s not clear to what purpose or for what ends the group operates.
The focus by most parties in the cyber security debate has been to concentrate on these major threats and promote the creation of norms. Most cyber conflict that we do see is generally in the domain of espionage as the recent hacks on the Democratic National Committee, Washington think thanks, or the Official of Personal Management demonstrate. Even more spectacular examples of cyber conflict like the Ukraine Black Energy Hack have been relatively trivial in effect but have enormous potential for impact. This leads to our first pressing development in the field:
1. Malicious cyber activities are increasing in rate but not in severity.
The focus on the spectacular is misguided. To make effective policy we must deal with the more everyday examples of just what cyber conflict is. While we can dream up spectacular attacks that bring about coming doom, the probability of these attacks is generally low; as is major war between established states. The final GGE report will continue to reflect this focus on the possible rather than the actual.
The 2015 report notes that “the most harmful attacks using ICTs include those targeted against critical infrastructure and associated information systems of a State. The risk of harmful ICT attacks against critical infrastructure is both real and serious.” While the potential of a damaging critical infrastructure attack is real, the probability is also very low. In fact, critical infrastructure attacks by squirrels are more persistent, deadly, and seemingly organized than cyber actions on critical infrastructure. This emphasis on state based attacks on critical systems shifts our focus away from the more likely attacks on information and individuals.
2. The real threat from malicious actors is when they target the context, integrity, and generation of information.
While the integrity of information is now recognized as a major problem, by the United States government and by popular culture with the TV show Mr. Robot, this more realistic analysis of cyber threat is generally missed in the academic and humanitarian discourse. The GGE will not address issues of the reliability and integrity of data, but we sure hope they do wake up to the most pressing issue in digital security.
Related to the issue of the integrity of data is the likelihood of hacks on electoral systems, which provokes great fear in the general population. Many believe that electoral fraud is a dreaded problem, and while specific examples of perfidy in normal voting processes are rare, the vulnerability exhibited by voting machines and other processes is astounding. The recent hacks on electoral voting records were likely trivial in impact–the same information could be purchased online. Yet the potential for further tampering with election processes is a problem the UN must deal with and try to establish working procedures to counter operatives and proxies seeking to impact internal democratic processes.
The third emerging issue is the reality of the cyber arms race. Long speculated and now beginning to be engaged academically, when actors pursue weapons with reckless abandon there is a high likelihood these races can reduce confidence, trust, and lead to actors utilizing their new toys.
3. The increasing proliferation of cyber arms, units, and doctrines is one the most pressing concerns in the international system.
Assurance that the state actors are not building offensive capabilities would be the goal for any organization hoping to forestall the development of a traditional security dilemma where increases in one state’s security causes a perceived decrease in the opposition state’s security. These feelings of insecurity then translate to compelling states to produce their own buildups. The GGE seeks to increase transparency, but translating this to transparency in cyber weapons systems is an entirely different problem.
While the current functional norms advocated by the group are useful, assurance that critical systems will not be attacked is not enough. Controlling and limiting what is likely the perception of rampant cyber arms races would be a critical step towards ensuring confidence in global ICTs. What is more critical is the acceptance that diplomatic maneuvers, legal censure, or economic inducements are more successful in limiting abuses than outright cyber weaponry. The case of China’s reported reduction in cyber actions after the 2015 Presidential summit is a critical watershed in the field. Was the cause of this behavior change the result of the capabilities of the United States (constant before the attacks) or the more likely impact of economic, diplomatic, and legal moves to compel China to behave in a manner suited to international stability?
The next pressing development is the increased perception of rising cyber threat. Depending on the survey, recent respondents identify cyber threats as either the number one, two, or three international threat.
4. Increasing perceptions of cyber threat by the public and elites can endear fear based responses and escalation.
Some new analysis even suggests that cyber threats are seen as near equal to traditional terror threats. While there are few examples of the massive and spectacular cyber-attacks that many speculate about, this does not alter public perceptions that there will be coming disaster. When the public perception of a threat does not match the actual evaluation of the threat, we have a disconnect that can limit the ability of states to hold back from entering into cyber conflicts. The UN should be on the forefront of realistically evaluating the cyber threat.
The problem is that hype often does dominate the discourse. Flights of imagination are often more critical than actual evidence in cyber security and basing policy on speculation can be disastrous because we might miss the more critical threats that actually do exist. This leads to the general focus of such reports on the major states and grand events. The term Cyber Pearl Harbor was first used in 1991 and continues to be expressed in every meeting and event that discusses cyber security. If the focus is on the spectacular, what about the more mundane but frequent attacks on civilians by states? This leads to point five:
5. The threat to human rights activists, the media, and civilians in general is the real pressing cyber danger.
With our focus on the grandiose, we often miss the more common attacks on individuals that make up the bulk of cyber actions. The last GGE report emphasized that states “should guarantee full respect for human rights, including privacy and freedom of expression.” This is important and a point to explore further, including with human rights bodies and experts. The Internet presents many new ways for activists and journalists to mobilize, come together, or spread messages; but it is frequently used against them too. Instances of email intrusion, hacking and sabotage are increasingly common and not just in countries with repressive governments – it’s also surfacing in Western democracies.
Since the GGE meetings are closed to non-members – including technical experts – it’s difficult to understand the practice of the group’s reports and outlooks. Even if they group did have an open dialouge, what real world impact is the group having? What obligations do other countries have to act on the GGE’s recommendations? In theory, this could be some useful fora to discuss these matters, particularly norms of behavior, but the Group’s impact is limited by lack of inclusivity and its limited mandate.
The rate at which technology and cyber conflict evolves easily outpaces that of diplomacy and the institutions that seek to engage such issues, but if the GGE continues to merely “examine” and “study” it will struggle to remain relevant. If the UN wants to be a player in the cyber security dialogue going forward, it should move away from a “talking shop” approach towards involving more stakeholders and producing outcomes that really shape policy, reflecting the realities of the cyber game.