by Scott Shackelford
Given the deluge of reporting on cyber attacks splashed across the headlines, it is natural to throw up one’s hands in exasperation, or even to seek a higher power. James Lewis of the Center for Strategic and International Studies, for example, has said, “We have a faith-based approach [to cybersecurity], in that we pray every night nothing bad will happen.” Indeed, in August 2013 alone, the Syrian Electronic Army allegedly launched cyber attacks against the New York Times and Twitter among other outlets, while China also suffered one of the largest cyber attacks in history, and new revelations surfaced regarding the National Security Agency’s surveillance programs. Some individuals, such as Professor Joseph Nye, Jr. and Secretary General of the International Telecommunication Union (ITU) Hamadoun Touré, and organizations, such as the Vatican’s Pontifical Academy of Sciences, though, have called for an approach beyond prayer. They have challenged the international community to consider the meaning of cyber peace at a time of seemingly endless and escalating cyber conflict.
Defining and fostering cyber peace is no easy feat; in fact, it has been said that “achieving and maintaining cyber-peace can be as demanding as starting a Cyberwar” (http://blog.deepsec.net/?p=702). What seems clear, though, is that cyber peace is not the absence of attacks or exploitations, an idea that could be called negative cyber peace. Rather, it is a network of multilevel regimes working together to promote global, just, and sustainable cybersecurity by clarifying norms for companies and countries alike to help reduce the risk of conflict, crime, and espionage in cyberspace to levels comparable to other business and national security risks. Working together through polycentric partnerships, and with the leadership of engaged individuals and institutions, we can stop cyber war before it starts by laying the groundwork for a positive cyber peace that respects human rights, spreads Internet access, and strengthens governance mechanisms by fostering multi-stakeholder collaboration.
The World Federation of Scientists proposed the concept of cyber peace during the Vatican’s Pontifical Academy of Sciences held in December 2008. This conference published the “Erice Declaration on Principles for Cyber Stability and Cyber Peace.” The Erice Declaration calls for enhancing cooperation and stability in cyberspace through the adoption of six principles ranging from guaranteeing the “free flow of information and ideas” to avoiding cyber conflict. Each principle is controversial to one group or another, underscoring the difficulty of even delineating cyber peace as a starting point for negotiations. Indeed, there is not yet a consensus view on what constitutes “cyber peace.” The ITU, a United Nations agency for information technologies, for example, has defined “cyber peace” as “a universal order of cyberspace” built on a “wholesome state of tranquility, the absence of disorder or disturbance and violence.” Although certainly desirable, such an outcome is politically unlikely in the foreseeable future given the deep geopolitical and sociocultural divisions between the cyber powers, including the United States, Russia, Israel, and China. For example, although the term “cybersecurity” is common in many Western nations, China and Russia, among other countries, prefer “information security,” which includes content. In essence, these countries are not only worried about cyber attacks on networks, but also the information being carried on them. In these nations’ views, cyberspace should be free from Western value labels, including free speech.
Some have argued that achieving cyber peace requires globalizing cybersecurity, along with Internet governance, which is currently the responsibility of numerous stakeholders. These entities include national governments; the private sector, such as the Internet Corporation for Assigned Names and Numbers (ICANN), which is a California-based non-profit responsible for matching IP addresses with domain names (e.g., www.ndias.nd.edu); technical communities, such as the Internet Engineering Task Force, which has helped develop and improve the Internet’s communications systems; civil society groups; and international organizations. Regarding the latter, some nations would prefer that the United Nations through the ITU take on a larger role in Internet governance on the part of member states, a view opposed by many Western policymakers who prefer a multi-stakeholder governance model. As a result, some have suggested that a new “digital divide” is emerging between those nations preferring a more state-centric cyberspace (i.e., Internet sovereignty), and those, such as the United States, that ostensibly envision cyberspace as a free “global networked commons,” in the words of former Secretary of State Hillary Clinton.
Though at times overblown, tensions between those advocating Internet sovereignty and Internet freedom underscore differing legal, cultural, and ethical traditions informing these policy debates. For example, due to the focus on applying the law of war to help manage cyber attacks, far less attention has been paid to developing a law of cyber peace. An array of legal instruments informed by ethical traditions such as utilitarianism are applicable toward this end ranging from, in the domestic context, managers considering cybersecurity as one component of their organization’s corporate social responsibility, to, at the global level, applying some version of the common heritage of mankind concept to cyberspace, which calls for the peaceful, equitable use of global common pool resources. Equally imperative is jumpstarting a conversation on the ethics of cyber conflict, especially for cyber attacks falling below the armed attack threshold such as cybercrime and espionage. The National Academy of Sciences has been working on a potentially groundbreaking volume on this topic entitled Policy Consequences and Legal/Ethical Implications of Offensive Information Warfare. Dr. Herb Lin, Chief Scientist at the National Academy, visited Notre Dame during the meeting of the International Society for Military Ethics on October 14, 2013 to present the new report.
There are also attendant enforcement difficulties to consider in fostering cyber peace, which is a problem across a range of international legal arenas from environmental law to the law of armed conflict, as may be seen in Syria. Indeed, some have called for the creation of “cyber peacekeepers” to help police the Internet for criminal activity. This idea, though, has been criticized as redundant given ongoing national and inter-governmental efforts aimed at enhancing global cybersecurity. For example, the ITU has established the International Multilateral Partnership Against Cyber Threats (IMPACT), which has been billed as the “world’s first comprehensive alliance against cyber threats” and is tasked with providing cybersecurity assistance and support to the ITU’s 193 Member States and also to other organizations within the UN system. The organization has already had some success in helping to build a bottom-up framework to promote cyber peace such as through a new regional Cybersecurity Innovation Center for the Arab region based in Oman. Other proposals have included establishing an International Criminal Tribunal for Cyberspace given the lack of forums to hold cyber attackers and their sponsors accountable, but these proposals also face uncertain political futures given the divides mentioned above.
Instead of focusing on a single path to cyber peace, then, such as a new cyber arms treaty that would face difficulties ranging from politics and enforcement to even defining what constitutes a “cyber weapon,” it may be more worthwhile to consider utilizing a range of technical, legal, political, and economic tools potentially couched within a polycentric framework. This is a multi-level, multi-purpose, multi-type, and multi-sectoral model developed by scholars including Nobel laureate Elinor Ostrom and Professor Vincent Ostrom that challenges orthodoxy by demonstrating the benefits of self-organization and networking regulations to address common problems such as cyber attacks. Among its many applications in this space is the finding that “a single governmental unit” is often incapable of managing “global collective action problems” such as climate change, or potentially, cyber attacks. Instead, a polycentric approach recognizes that diverse organizations working at multiple levels can create different types of policies that can increase levels of cooperation and compliance, enhancing regime flexibility and adaptability. Consequently, a top-down approach focused on a single treaty regime or institution could crowd out innovative bottom-up best practices developed organically from diverse ethical and legal cultures.
Active and important debates are ongoing about what is the best that we can reasonably hope for in terms of “peace” in cyberspace. But even though a grand Internet governance and cybersecurity bargain looks unlikely in the near term, concrete steps may be taken now to reduce cyber risk to all parties while raising the cost to attackers. These include the cyber powers creating a “Cybersecurity Forum,” similar to the Major Emitters Forum in the climate change context, which could begin by clarifying norms to secure critical international infrastructure such as the global financial system, air traffic control, and the energy sector. Sanctions and countermeasures could be levied against nations and private organizations that launch cyber attacks against these or other critical systems. Legal assistance treaties could be strengthened and forums created to help prosecute attackers when national courts are unable or unwilling to exercise jurisdiction. Cybersecurity could also become more central in trade and bilateral investment treaty negotiations so as to better protect trade secrets, which may be occurring in current U.S.-China discussions. Stakeholders could even make effective anti-malware and anti-spyware tools available for free along with open source encryption technologies to better safeguard private data, which would have the added value of helping to rebuild the reputation of U.S. technology firms that have been tarnished in the wake of disclosures from former Booz Allen systems administrator Edward Snowden. None of these suggestions are a magic bullet, but together they can begin the process of building a positive, global culture of cyber peace. Engaging in a constructive dialogue is critical to harmonizing divergent approaches to governance and reaching a middle ground between Internet sovereignty and freedom that both respects human rights and secures vital systems. Though a little prayer couldn’t hurt, too.
Scott J. Shackelford, JD, Ph.D.
Fall 2013 NDIAS Fellow
Scott Shackelford, a Residential Fellow at the NDIAS, is an Assistant Professor of Business Law and Ethics at Indiana University. He is a senior fellow of the Center for Applied Cybesecurity Research, as well as being affiliated with the IU Center for the Study of Global Change, Global and International Studies Program, Integrated Program in the Environment, and the Russian and East European Institute. Professor Shackelford specializes in cybersecurity law and policy, sustainable development, and global commons governance.
Professor Shackelford has written more than 40 articles, essays, and book chapters that have been published in such outlets as the New York University Environmental Law Journal, American Business Law Journal, Stanford Environmental Law Journal, Stanford Journal of International Law, and the Berkeley Journal of International Law.
In 2014, Professor Shackelford’s book, Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace (left), will be published by Cambridge University Press.