Building Cyber Peace While Preparing for Cyber War

The encompassing trend of digitalisation and widespread dependencies on IT systems triggers adjustments also in the military forces. Besides necessary enhancements of IT security and defensive measures for cyberspace, a growing number of states are establishing offensive military capabilities for this domain. Looking at historical developments and transformations due to advancements in military technologies, the chapter discusses the political progress made and tools developed since. Both of these have contributed to handling challenges and confining threats to international security. With this background, the text assesses a possible application of these efforts to developments concerning cyberspace, as well as obstacles that need to be tackled for it to be successful. The chapter points out political advancements already in progress, the role of social initiatives, such as the cyber peace campaign of the Forum of Computer Scientists for Peace and Societal Responsibility (FifF), as well as potential consequences of the rising probability of cyber war as opposed to the prospects of cyber peace.

Not only today, but also in the future information technology and the advances in the field of computer science will have a high relevance for peace and security. Naturally, a textbook like this can only cover a selective part of research and a certain point in time. Nonetheless, it can be attempted to identify trends, challenges and venture an outlook into the future. That is exactly what we want to achieve in this chapter: To predict future developments and try to classify them correctly. These considerations were made both by the editor and the authors involved alike. Therefore, an outlook based on fundamentals, cyber conflicts and war, cyber peace, cyber arms control, infrastructures as well as social interaction is given.

Technological and scientific progress, especially the rapid development in information technology (IT), plays a crucial role regarding questions of peace and security. This textbook addresses the significance, potentials and challenges of IT for peace and security. For this purpose, the book offers an introduction to peace, conflict, and security research, thereby focusing on natural science, technical and computer science perspectives. In the following, it sheds light on fundamentals (e.g. IT in peace, conflict and security, naturalscience/ technical peace research), cyber conflicts and war (e.g. information warfare, cyber espionage, cyber defence, Darknet), cyber peace (e.g. dual-use, technology assessment, confidence and security building measures), cyber arms control (e.g. arms control in the cyberspace, unmanned systems, verification), cyber attribution and infrastructures (e.g. attribution of cyber attacks, resilient infrastructures, secure critical information infrastructures), culture and interaction (e.g. safety and security, cultural violence, social media), before an outlook is given. This chapter provides an overview of all chapters in this book.

This contribution investigates elements of cyber conflicts and attacks to determine the current state of cyber peace. The first section examines the current state of the Internet and whether or not it is in a state of cyber war. It analyses the classical concept of peace and war and determines which elements can be adapted to the digital sphere and where such a transformation can be problematic. The term ‘cyber peace’ is then defined and the components that make such a state possible identified. The last section discusses the different roles and their responsibilities to reach and preserve a state of peace in the digital sphere, coming to the conclusion that the Internet is not in a state of cyber war but more in a state of negative or unstable peace. To protect the Internet as a critical infrastructure from being abused as a new battleground, this chapter suggests moving towards a state of stable peace, and proposes increasing the security and resilience on a technical level and building up trust between all actors, ranging from the individual to the state level.

The Middle East is the region in which the first act of cyber warfare took place. Since then, cyber warfare has escalated and has completely altered the course of the MENA region’s geopolitics. With a foreword by top national security and cyber expert, Richard A. Clarke, this is the first anthology to specifically investigate the history and state of cyber warfare in the Middle East. It gathers an array of technical practitioners, social science scholars, and legal experts to provide a panoramic overview and cross-sectional analysis covering four main areas: privacy and civil society; the types of cyber conflict; information and influence operations; and methods of countering extremism online. The book highlights the real threat of hacktivism and informational warfare between state actors and the specific issues affecting the MENA region. These include digital authoritarianism and malware attacks in the Middle East, analysis of how ISIS and the Syrian electronic

The conceptual debate around the term cyber warfare has dominated the cybersecurity discipline over the last two decades. Much less attention has been given during this period to an equally important question: what constitutes cyber peace? This article draws on the literatures in peace and conflict studies and on desecuritization in critical security studies, to suggest how we might begin to rearticulate the cybersecurity narrative and shift the debate away from securitization and cyberwar to a more academically grounded focus on desecuritization and cyber peace. It is argued that such a move away from a vicious circle where states frame cybersecurity predominantly within a national security narrative and where they seek to perpetually prepare for cyberwar, to a virtual cycle of positive cyber peace, is not only a desirable, but a necessary outcome going forward. We assert that this is particularly important if we are to avoid (continuing) to construct the very vulnerabilities and insecurities that lead to the prioritization of offence and destruction in cyberspace, rather than transformative, human-centred development in information and communications technology innovation.

Views range widely about the seriousness of cyber attacks and the likelihood of cyber war. But even framing cyber attacks within the context of a loaded category like war can be an oversimplification that shifts focus away from enhancing cybersecurity against the full range of threats now facing companies, countries, and the international community. Current methods are proving ineffective at managing cyber attacks, and as cybersecurity legislation is being debated in the U.S. Congress and around the world the time is ripe for a fresh look at this critical topic. This Article searches for alternative avenues to foster cyber peace by applying a novel governance framework termed polycentric analysis championed by scholars such as Nobel Laureate Elinor Ostrom that promotes self-organization and networking regulations at multiple levels. This bottom-up form of governance is in contrast to the increasingly state-centric approach to both Internet governance and cybersecurity prevailing in forums like the International Telecommunication Union (ITU). ICANN, the Internet Engineering Task Force, and the ITU will be used as case studies to explore these different governance models. Analyzing the debate between Internet sovereignty and Internet freedom through the lens of polycentric regulation provides new insights about how to reconceptualize both cybersecurity and the future of Internet governance.

Stabilizing the Industrial System: Managed Security Services’ Contribution to Cyber-Peace

A summary is not available for this content so a preview has been provided. Please use the Get access link above for information on how to access this content.

There is a growing consensus that nations bear increasing responsibility for enhancing cybersecurity. A related recent trend has been the adoption of long-term strategic plans to help deter, protect, and defend against cyber threats. These national cybersecurity strategies outline a nation’s core values and goals in the realm of cybersecurity law and policy, from mitigating cybercrime and espionage to preparing for cyber warfare. This Article assesses the notion that nations bear the primary responsibility for managing cyber attacks and mitigating cybercrime by analyzing thirty-four national cybersecurity strategies as a vehicle to discover governance trends that could give rise to customary international law norms across the dimensions of critical infrastructure protection, cybercrime mitigation, and governance.

Increasing and worthwhile attention has been paid to applying existing international law to the cause of enhancing global cybersecurity. The bulk of this research, though, has been focused on leveraging international humanitarian law to regulate the conduct of cyber warfare. Yet much of this work is largely theoretical given how exceedingly rare it is for a cyber attack to cross the armed attack threshold. The bulk of the cyber risk facing the public and private sectors lies in the arena of cybercrime and espionage. More scholars have been applying international law ‘below the threshold’ to these issues, but much more work remains to be done. For example, perhaps surprisingly, relatively little attention has been paid to leveraging private international law to the cause of mitigating cyber risk. This Article seeks to address this omission by offering a roadmap that synthesizes and extends work in this field by drawing from cybersecurity due diligence, bilateral investment treaties, and customary international law along with underexplored realms of public international law including the Vienna Convention on Diplomatic Relations, lesser studied global commons regimes, and Mutual Legal Assistance Treaties. The time is ripe for a fresh look at existing international legal tools that would help us better manage the multifaceted cyber threat. Only then can an accounting be made of gaps to be filled in by norms, custom, and perhaps one day, new accords.

Cyberspace has witnessed a ‘militarisation’ as a growing number of states engage in a variety of cyber operations directed against foreign entities. The rate of this militarisation has outstripped the diplomatic efforts undertaken to provide this unique environment with some ‘rules of the road’. The primary mechanism for discussing possible norms of responsible state behaviour has been a series of UN Groups of Governmental Experts, which have produced three consensus reports over the last decade. The 2015 report recommended a series of principles and confidence-building measures to prevent conf1lict, but prospects for its implementation have receded as differences amongst states persist over how security concepts should be applied to cyberspace. Renewed efforts to promote responsible state behaviour will require greater engagement on the part of the private sector and civil society, both of which have a huge stake in sustaining cyber peace.

From Cyber War to Cyber Peace

Although there has been a relative abundance of work done on exploring the contours of the law of cyber war, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations’ due diligence obligations are to one another and to their respective private sectors. The International Court of Justice (“ICJ”) has not yet explicitly considered this topic, though it has ruled in the Corfu Channel case that one country’s territory should not be “used for acts that unlawfully harm other States.” But what steps exactly do nations and companies under their jurisdiction have to take under international law to secure their networks, and what of the rights and responsibilities of transit states? This Article reviews the arguments surrounding the creation of a cybersecurity due diligence norm and argues for a proactive regime that takes into account the common but differentiated responsibilities of public and private sector actors in cyberspace. The analogy is drawn to cybersecurity due diligence in the private sector and the experience of the 2014 National Institute of Standards and Technology (“NIST”) Framework to help guide and broaden the discussion.

Although there has been a relative abundance of work done on exploring the contours of the law of cyber war, far less attention has been paid to defining a law of cyber peace applicable below the armed attack threshold. Among the most important unanswered questions is what exactly nations’ due diligence obligations are to their respective private sectors and to one another. The International Court of Justice (“ICJ”) has not explicitly considered the legality of cyber weapons to this point, though it has ruled in the Corfu Channel case that one country’s territory should not be “used for acts that unlawfully harm other States.” But what steps exactly do nations and companies under their jurisdiction have to take under international law to secure their networks, and what of the rights and responsibilities of transit states? This chapter reviews the arguments surrounding the creation of a cybersecurity due diligence norm and argues for a proactive regime that takes into account the common but differentiated responsibilities of public- and private-sector actors in cyberspace. The analogy is drawn to cybersecurity due diligence in the private sector and the experience of the 2014 National Institute of Standards and Technology (“NIST”) Framework to help guide and broaden the discussion.