Deterrence by Norms to Stop Interstate Cyber Attacks

Abstract

In April 2017, the foreign ministers of the G7 countries approved a ‘Declaration on Responsible States Behaviour in Cyberspace’ (G7 Declaration 2017). The Declaration addresses a mounting concern about international stability and the security of our societies after the fast-pace escalation of cyber attacks occurred during the past decade. In the opening statement, the G7 ministers stress their concern […] about the risk of escalation and retaliation in cyberspace […]. Such activities could have a destabilizing effect on international peace and security. We stress that the risk of interstate conflict as a result of ICT incidents has emerged as a pressing issue for consideration. […], (G7 Declaration 2017, 1). Paradoxically, state actors often play a central role in the escalation of cyber attacks. State-run cyber attacks have been launched for espionage and sabotage purposes since 2003. Well-known examples include Titan Rain (2003), the Russian attack against Estonia (2006) and Georgia (2008), Red October targeting mostly Russia and Eastern European Countries (2007), Stuxnet and Operation Olympic Game against Iran (2006-2012). In 2016, a new wave of state-run (or state-sponsored) cyber attacks ranged from the Russian cyber attack against Ukraine power plant, to the Chinese and Russian infiltrations US Federal Offices, to the Shamoon/Greenbag cyber-attacks on government infrastructures in Saudi Arabia. This trend will continue. The relatively low entry-cost and the high chances of success mean that states will keep developing, relying on, and deploying cyber attacks. At the same time, the ever more likely AI leap of cyber capabilities — the use of AI and Machine Learning techniques for cyber offence and defence — indicates that cyber attacks will escalate in frequency, impact, and sophistication. Historically, escalation of interstate conflicts has been arrested using offensive or political strategies, sometimes in combination. Both have been deployed in cyberspace. The first failed; the second needs to be consolidated and enforced (Taddeo and Glorioso 2016b, 2016a).