Oleg Abdurashitov, Head of CEO Office
There are no uneventful years in cyberspace – but 2021 may well have been the watershed year when governments across the world realized that cyberspace is no longer a ‘space’ existing on its own, but is in fact the very underlying fabric of modern societies.
The ransomware epidemic that shocked U.S. with two massive – if short-lived – disruptions to supply chains has demonstrated that it doesn’t take a sophisticated attack on industrial components to paralyze critical infrastructure operators. The attacks on Colonial Pipeline and JBS prompted an unprecedented cyber military response targeting non-state criminal actors and turned a page in the history of cyber-warfare targeting. With the details of the operation against cybercriminals remaining secret for the time being, we are nonetheless looking at a redrawing of the “red lines” that regulate military operations in cyberspace. As more countries acknowledge and strengthen their cyber warfare divisions, which will unavoidably operate in a predominantly civilian cyber domain, the risks of cyber escalation and misinterpretation continue to grow.
This is why members of the UN’s Open-Ended Working Group[1] agreeing on the first consensus report of ICT use in the security context is a historical event on its own – with countries holding vastly different views on how to regulate cyberspace acknowledging that, their differences notwithstanding, cyberspace is way too important to simply follow the course of agreeing to disagree. The first US-Russia joint resolution on information security[2] (plus the bilateral talks between the governments of these two countries following high-level meetings between their presidents), and the continuation [3] of the UN OEWG for the next round (and even the call to include non-state entities in the process) – these are signs both of cyberspace’s great importance and complexity, where legal, political, security and technical issues intertwine.
Attempts to cut this Gordian knot of cyberspace with unilateral measures without acknowledging, accepting and addressing cyberspace’s complexity will likely backfire, and at the very least will further erode trust among states – despite trust being essential for the negotiation process to progress. Equally, the lack of knowledge and capacity to address those issues – in particular, the lack of understanding of the ‘esoteric language’ of technical aspects – may spell doom for efforts to find common ground and implement the agreed measures and norms. This is why we developed the Cyber Stability Games[4]: an exercise built to demystify technical attribution – one of the most complex and controversial cyber-topics – so that cyber diplomats can understand the language and processes of technical experts.
The realization that cyberspace is a critical part of national security has prompted many countries to reassess their approach to digital policies to find a better balance between the interests of the state and the incentives of the free market. An example of this approach is this year’s NIS2 Directive, which calls to strengthen the European Union’s capabilities and address legal fragmentation by introducing a common legal framework and investing in the development of competence centers. [5] What some have called internet fragmentation has thus became another chapter in the evolution of cyberspace, with states seeking ways to manage the common good (and, increasingly – the common bad) of digital technologies.
With legal norms and practices in constant flux, multinational technology companies are increasingly finding themselves between the rock of regulations and the hard place of threats. While enabling the functioning and development of the digital domain, they are subject to enhanced regulatory scrutiny and user demands on the one hand, and are targets of state and non-state malicious actions on the other. In a remarkable twist, the technology companies are now taking legal steps to fight back against abuse of their technologies by the commercialized surveillance industry that monetizes product vulnerabilities, of which the NSO Group became prime example[6].
The problem however extends beyond a single company or practice; it lies in the very nature of the software development process, which makes potential vulnerabilities unavoidable. Responsible vulnerability disclosure and transparency practices, of which Kaspersky is a devoted follower[7], may address part of the issue – and the faster a company finds, reports, and patches a vulnerability in its own products and in products of others, the safer everyone in the digital supply chain is. However, if weaponization of software vulnerabilities remains an acceptable practice, little can be done to address the systemic risk of supply-chain attacks – and the burden of proof will always remain with the technology vendor, imposing significant transactional costs. It is even less clear how one may address the vulnerabilities of open source software which, as the Log4J issue has amply demonstrated, can turn into a security crisis literally overnight[8].
What 2021 has made clear is that being a passive witness to change in cyberspace is no longer an option. We are living through a transformation of cyberspace, and while understanding the magnitude of development usually requires some time and distance, being a hands-off observer of this transformation is no longer an option – for states, companies, and users alike
[1] https://www.cfr.org/blog/unexpectedly-all-un-countries-agreed-cybersecurity-report-so-what
[3] https://meetings.unoda.org/section/oewg-ict-2021_documents_14473/
[4] https://media.kaspersky.com/en/enterprise-security/kips-on-technical-attribution.pdf
[5] https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333