By BROOKS TIGNER
BRUSSELS – The international community is struggling to define how a government should respond to cyber-attacks outside a war situation but which cause major disruption or even deadly fall-out.
After several years of effort, the UN tried to nail down the issue by defining a set of guidelines but its group of national experts ultimately failed in summer 2017 to agree on what those should be.
That has left governments adrift in a sea of ambiguity, though international organisations – led by the EU – insist that the traditional rules and treaties regarding physical war apply directly to the digital world. There is a sense, however, that such a stance is but whistling in the dark for lack of a viable alternative.
One result of this anomaly is that “the allies now find themselves in a sort of ‘Article Four-and-a-half’ situation today, caught between crisis consultation and how to reaction to an attack,” says a senior allied official, referring to Articles Four and Five of NATO’s founding Washington Treaty. Those articles govern crisis consultation procedures with other allies versus the activation of collective defence, respectively.
“Cyber defence now equals collective defence, but the evidence so far shows that most malicious cyber activity falls below the level of warfare and armed attack,” the official told a cyber warfare conference in Brussels on 10 April organised by the Wilfried Martens Centre for European Studies. “What to do when there is a [cyber-attack] crisis that falls under the threshold of armed conflict, but whose consequences are serious enough that they must be dealt with? This is not clear.”
NATO is not alone in trying to muster a legal response to such cyber-attacks.
Karoly Dan, Hungary’s ambassador to the OSCE and UN, told the gathering that regional organisations probably “have a better chance of reaching agreement and coming up with solutions for state behavior” than the UN.
Noting that the OSCE has developed the world’s “most advanced” regime of arms control, he said the Vienna-based entity has developed a set of cyber warfare confidence-building measures “to reduce the risks of conflict stemming from the use of ICTs [information and communications technologies]”.
Dan said other regional groups such as the Organisation of American States and ASEAN, the forum of southeast Asian nations, “are following our approach as well”, though he added that how far they can go will depend on how closely their cultures are related: “The central problem will be to bring countries to the table who have virtually zero trust in one another to talk about cyber behaviour.”
Tomi Huhtanen, the Martens Centre’s executive director, said many experts consider that recent cyber-attacks such as WannaCry are just a test to see how the targeted countries react. “Russia and North Korea, for example, have not yet released their full cyber capabilities,” he said.
Exposing the perpetrators of such attacks could offer effective deterrence to them, said speaker Sico van der Meer, cyber security research fellow at The Netherlands’ Clingendael Institute of International Relations.
“We need better forensics, threat analysis and attribution. These should all be pursued within the UN, OSCE and other fora, hopefully pulling the ‘great powers’ into these agreements,” observed van der Meer.
This is not to dismiss confidence-building measures, which would certainly be a pre-requisite for, and to underpin, any legal treaty. Yet CBMs are most effective when based on mutual verification procedures. And that raises a fundamental question: what to verify in the virtual world of cyber warfare?
The cyber warfare realm is probably too abstract, complex and murky to be effectively framed by any international treaty or rules. The only thing that will discipline rogue or hostile nations is full disclosure of their tactics, which means developing air-tight forensic methods that would indisputably trace attribution to who did what. That’s where the West’s R&D effort should be focused.