Cyberspace without conflict
No trains at Amsterdam Central Station during a computer disruption, 2012. Photo: HH
Summary
A growing number of countries are capable of carrying out cyber attacks that cause enormous damage to businesses, individuals and government institutions. Almost every country also uses cyber weapons. They spy on one another and try to infiltrate each other’s digital systems; some states even engage in cyber sabotage or spread disinformation. A new type of conflict is being fought with information technology, which we refer to in this report as an ‘information conflict’.
How can the Netherlands contribute to a de-escalation of this information conflict? This report suggests five possible solutions. It calls for the involvement of the public in the political and public debate about international cyber security, since it is the country’s citizens who will be affected most by cyber attacks. At the same time, they are also the ones who can call on governments and politicians to work towards de-escalation.
The nature of cyber attacks
This report first defines what cyber attacks are and compares them with conventional military aggression. The analysis produces the following picture.
Cyber attacks can usually be carried out from a great distance, can spread extremely quickly and are sometimes difficult to detect – especially if they involve highly sophisticated espionage or high-quality falsification of images and sound. Cyber attacks are sometimes even offered as a service. Cyber attackers range from intelligence services to cyber criminals, and seldom have to fear any repercussions, such as facing trial.
At the same time, cyber attacks are not necessarily more harmful than conventional attacks. In fact, cyber attacks are seldom intended to cause serious physical damage and can frequently be neutralised. Once it has been identified, malware can automatically be detected and attacks can be repulsed, provided suppliers and users keep their software systems up to date.
Consequently, while the emergence of cyber attacks creates serious security risks, there are ways of mitigating the damage.
Three rungs on an escalation ladder
Cyber attacks are an everyday occurrence. This report provides an overview of who carries them out, with the emphasis on the role of the major cyber powers – the United States, Russia and China – but also considering the role of the Netherlands and a number of other European countries. It does so by positioning the activities on a so-called cyber escalation ladder. The ladder has three rungs:
- A rung characterised by cyber peace, a situation in which countries do not use digital tools for espionage or engage in sabotage or disseminating disinformation.
- A rung characterised by information conflict, a situation in which states resort to cyber espionage and, sometimes, spreading disinformation and sabotaging digital systems.
- A rung characterised by cyber-physical war, a situation in which the damage caused by states is so serious that one could speak of armed attacks. It should be noted in this context that during a cyber-physical war, every type of cyber attack is in fact covered by international law, not just the few cyber attacks that actually constitute an armed attack.
Most actions currently undertaken by influential states fall within the scope of what we describe above as the information conflict. In peacetime, countries build up their cyber security and try to infiltrate the digital systems of other countries as secretely as possible. Russia is also actively spreading disinformation. That is a strategy that other autocratic countries do not yet appear to employ on a large scale, at least not in relation to other countries, but it fits in seamlessly with their desire to control, censor and manipulate the information that reaches their populations. There are also a number of examples of serious cyber sabotage, such as Operation Olympic Games, which has been attributed to Israel and the United States, and the WannaCry attack, which has been attributed to North Korea. Up to now, cyber attacks have never instigated a cyber-physical war; in that respect, there is no ‘cyber war’. However, cyber weapons are increasingly an element of warfare, as can be clearly seen from the conflict in Ukraine.
International cooperation
The continuing information conflict creates a need for international diplomacy and agreements. In this report, we therefore review the cooperation that exists in this field. In various international and regional bodies states are trying to take steps to create a safe and free digital world.
Although there has been some success at the regional level, especially within the EU, states have not yet succeeded in making binding global agreements on cyber attacks. That does not mean there are no rules governing cyber attacks, but because these attacks seldom exceed the threshold of an ‘armed attack’ which activates international humanitarian law, there are only general principles, such as the prohibition of the use of force. And at present those principles are open to various interpretations.
Preferred citation: Hamer, J., R. van Est, L. Royakkers, with the assistance of N. Alberts (2019). Cyberspace without conflict – The search for de-escalation of the international information conflict. The Hague: Rathenau Instituut
Conclusion
Five possible solutions for de-escalation
The information conflict could escalate. As our report shows, the current international situation is risky and worrying. On the basis of our findings, we formulate five possible solutions that could contribute to a de-escalation of this conflict.
1. Continue cooperating to increase international cyber security
Important international initiatives have been taken to improve the security of cyberspace, such as the IMPACT coalition, the European network of Cyber Emergency Incident Response Teams and the NATO cyber exercises. The Netherlands has joined them. These collaborative efforts are and will remain very important.
2. Conclude clear international agreements on de-escalation in relation to cyber sabotage, disinformation, and cyber espionage
Although the Netherlands and other countries have taken important steps to formulate international rules governing cyber attacks, such as the Tallinn Manual and the Paris Call for Trust and Security in Cyberspace, there are very few binding rules that relate specifically to the information conflict. One option might be a cyber convention.
3. Ensure that the cyber arsenal is responsibly managed
It is important to prevent further proliferation of cyber weapons. That calls for international coordination of the build-up of cyber weapons and for effective collaboration with technology companies in removing vulnerabilities in their products. This collaboration also calls for as much transparency as possible, especially among allies.
4. Protect the independence of technology companies
Technology companies perform a crucial role in creating a secure digital environment. They close the holes in their software and can bring robust digital applications onto the market. It is important to help companies to make their operations as secure as possible. Governments are taking a risk if they insist that companies secretly weaken the security of their products. Governments must therefore regulate both the technology and technology companies in a sensible manner.
5. Invest in a debate on international cyber security
The information conflict must be subjected to a democratic debate: it is citizens who are particularly affected by cyber attacks. Citizens thus must be resilient. It is also up to citizens to give direction to the digital future. De-escalation of the information conflict therefore calls for a public and political debate.
Cyber attacks in the picture
There are 3 types of cyber attack in the phase between war and peace. These are shown in the image below.
