Oleg Abdurashitov
Head of Public Affairs, APAC
Driven by nation’s concerns of the national security, the new cyberspace landscape is looking increasingly similar to the geopolitical one[i]. The more powerful states have disproportionate advantages in technology, capabilities and willingness to exercise and leverage their influence, including offensive military and espionage operations. Contestant states and non-state actors are striving to catch up by enhancing their offensive and defensive capacities, developing asymmetric means of cyber conflict and testing the limits of what is possible.
In the last decade, there have been many efforts to address this new reality in academic, military and diplomatic circles – from NATO recognizing cyber as ‘Domain of Operations’ to UN GGE’s partially successful efforts to agree on the norms of state behaviour in cyberspace. Despite this, universally applicable legal norms on cyberspace behaviour – themselves a ‘product of diplomatic compromise among the states’[ii] with vastly different views - are likely many years away.
On the other hand, governments are not the only side to global cyberspace affairs. In the foreseeable future, the ultimate architecture of the Internet as interconnected and interdependent ecosystem largely operated by the private sector is not going to change. And throughout many years the private sector and various multistakeholder platforms have delivered a rich set of norms, standards, and best practices in the area of cybersecurity and critical infrastructure protection – effectively creating what some researchers are now calling the ‘soft law’ of cyberspace[iii].
Trust in essential for this ‘soft law’ to take effect in managing complex interconnected systems and reduce massive transaction costs. That’s why rigorous independent verification of products and expertise more than anything characterizes the cybersecurity industry today. From APT research verification to independent product tests, from solutions architecture to bug bounty programs, the commercial companies are consistently working on strengthening cooperation, improving understanding and increasing transparency.
The incentives of militarized cyberspace seem to be moving in a very different direction – willingly or not, the governments’ actions in cyberspace are undermining this delicate balance of mutual knowledge and trust. For example, in one instance by stockpiling cyber weapons the governments have created a niche but lucrative grey market for zero-days[iv], disincentivizing responsible vulnerability disclosure and leaving critical systems unprotected. In the other, use of forth-party intel collection methods, as reported by Kaspersky researchers[v], allows competent actors to disguise themselves as other nation-state or even non-state actors in espionage campaigns, complicating attribution efforts to the point where they are meaningless.
These actions may make perfect sense in a military doctrine, but they unavoidably affect the entangled civil infrastructure dependent on cyber domain – from telecoms and finance to IoT and your favourite apps. In cyberwar, damage to civilian infrastructure Internet infrastructure is not a collateral damage – this very infrastructure often is, in fact, the target.
While the governments are now discussing the Confidence-Building Measures (CBMs)[vi] to avoid misunderstanding and conflict escalation in cyberspace, the companies caught in this geopolitical whirlwind are left to deal with eroding confidence in their products. As a private commercial company, we strongly believe that the private sector shall have a say at the broader, honest and open dialogue between states to ensure that the Internet is here for the common good, caused by actors who approach cyberspace as yet another arena for geopolitical competition
Otherwise, in the ‘zero-sum game’ vision of weaponized cyberspace, where technology companies are explicitly expected to take sides other than that of their users, it’s the users who will ultimately lose.
[i] Jonathan Zittrain, “Netwar”: The unwelcome militarization of the Internet has arrived. Bulletin of the Atomic Scientists, September 2017. Volume 73-2017, Issue 5
[ii] Greg Austin, International Legal Norms in Cyberspace: Evolution of China’s National Security Motivations. International Cyber Norms: Legal, Policy & Industry Perspectives. NATO CCD CEO Publications, Tallinn 2016
[iii] Gary E. Marchant, Brad Allenby, Soft law: New tools for governing emerging technologies. Bulletin of the Atomic Scientists, Volume 73-2017, Issue 2
[iv] Lillian Ablon, Timothy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. RAND Corporation, Santa Monica, Calif. 2017
[v] Juan Andres Guerrero-Saade & Costin Raiu, Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell. Virus Bulletin Conference, Madrid 2016
[vi] Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. United Nations, July 2015