On November 6 the NCAFP hosted a closed-door Roundtable entitled Cybersecurity: Challenge and Response: A New Generation Speaks Out. This Roundtable addressed key developments in the cybersecurity front and their implications for U.S. foreign policy, as they are taking place against a background of a shifting global strategic environment. Below, Camino Kavanagh, Senior Project Advisor for the NCAFP's Cybersecurity Project sheds some light on some of these developments.
During the first NCAFP Cybersecurity Roundtable held in October of 2012, implications for American foreign policy and national security were discussed and some of these issues were carried through to this year’s Roundtable. Can you outline the current situation taking into account recent developments?
The past twelve months have been pretty eventful, particularly for the UN and, increasingly, states. To the dismay of many, the WCIT meeting in Dubai confirmed the interest of a growing number of governments in shifting the governance of the Internet from the current multi-stakeholder modality to the ITU, an inter-governmental body and specialized agency of the UN. It is unclear where this will lead to.
In June 2013, the UN Group of Governmental Experts (GGE) working within the framework of the UN General Assembly’s First Committee presented its report to the UN Secretary-General. The report was an important milestone in consensus as after many years of disagreement, it confirmed the applicability of existing international law to cyberspace as well as the principle of sovereignty, and stressed that responsible state behavior applies just as much to cyberspace as it does in physical space. The next steps will be determining how all of these apply in practice. So, a lot more cooperation on determining norms, CBMs and capacity building will be required in the coming period. Unprecedented in this regard, is that a new GGE will most likely be established next year to ensure that discussions between states on these issues continues.
On a parallel track, the US (and others) continues its work at the bi-lateral level (through Track 1.5 and Track 2 mechanisms) with its Russian and Chinese counterparts on many of these issues. And the private sector, civil society and academia are pushing to play a more predominant role in influencing outcomes in the field of international cybersecurity, particularly as elements of it become increasingly enmeshed in the Internet governance agenda and vice versa.
Meanwhile, significant debate and discussion is taking place on how the Snowden revelations regarding NSA surveillance practices may slow down progress (for example, within the GGE) or cement positions regarding state involvement in Internet governance (via the ITU). The weekly revelations have also led to a lot of activity within the UN GA Third Committee. Brazil and Germany co-sponsored a Resolution on Right to Privacy in the Digital Age which was adopted by the UN GA just a couple of weeks ago. The revelations have also led to further discussion domestically on questions of privacy.
The NCAFP will continue to examine the implications for US foreign policy of these developments in the coming months. Among the questions we now face: How much do we want to protect the current Internet governance model which is US centric and very favorable to the US; how does the US intend on addressing the fact that the principle of state sovereignty has now been recognized as applying to cyberspace? How will it reconcile this reality with its position on Internet governance and Internet freedom? The discussions on November 6 laid bare the fact that the cybersecurity challenges that we are confronted with today are political rather than technological in nature and responses should therefore form part of an invigorated foreign policy agenda.
In 2008, cyber-attacks were used by Russia against Georgia during the armed conflict over South Ossetia. This led many to talk about the threat of “cyber warfare.” How real is such a threat?
At this year’s roundtable discussions reflected a growing consensus regarding the limited likelihood that any armed conflict will be solely ‘cyber’ i.e. it is highly unlikely that a ‘cyberwar’ per se will ever occur. In this regard, participants insisted on the meed to inject some reality into the manner in which certain incidents and their effects are being described. As has been the case until now cyber capabilities will continue to be deployed as an additional form of fire within the framework of a more conventional armed conflict (e.g. the 2008 conflict between Russia and Georgia), or in the form of weaponized code used as a covert tool of sabotage, and aimed at creating strategic effects and attaining foreign policy goals (for example the use of Stuxnet to put a break on Iran’s nuclear ambitions). Jay Healey’s new book on the history of cyber conflict - A Fierce Domain - and Thomas Rid’s book - Cyberwar Will Never Take Place are both well worth reading in this regard.