On 30-31 January 2020, Pugwash held its second workshop on the theme of cyber security and warfare at the Palais des Nations, Geneva, co-sponsored by the Mission of Brazil to the United Nations Office in Geneva. The meeting convened more than 20 experts and academics in computer science and security, artificial intelligence, and political scientists, as well as representatives of diplomatic Missions, together for discussion on a range of topics. These included international and intergovernmental cooperation, multi-stakeholder approaches to cyber governance, and the implications of artificial intelligence and autonomous weapons systems on conflict. A central issue for the Pugwash project is to understand the dimensions of how cyber activities may be used to generate a war or armed response to a cyber event, an eventuality that can be expected in the future, and to therefore propose ideas and initiatives that can be implemented by states and other institutions to mitigate or prevent this likelihood.
Recommendations and Areas for Further Exploration
- Work could be carried out to produce a glossary or common understanding over what defines defensive and/or offensive cyber weapons. In principle, operative definitions could be pursued based on tools, techniques, targets, and consequences (and including other criteria if necessary) to chart a clearer way forward which would avoid the convoluted debate on definitions that plagues intergovernmental discussions. This work could be carried out within the UN context, by the GGE or OEWG, or equally by an independent commission of experts for input to the intergovernmental debates.
- Efforts toward a global agreement that prohibits attacks on critical infrastructures, particularly nuclear installations and facilities. More narrowly, the P5 States should start to discuss and implement Confidence Building Measures to strengthen their Command & Control and the Early Warning System against cyberattacks to prevent any nuclear incident or war based on false information.
- Generally, computer scientists and the different scientific and technical communities should be urged to engage and participate in discussions on the impact of these technologies. There should be a call to discuss the role of responsible science and scientists to be more committed to concrete research contributions that would mitigate or control destabilizing developments in the cyber sector.
- The regulation or prohibition of certain digital weapons: greater consensus should be sought that States can be prohibited from implanting “backdoors”, malware inserted by certain States into products sold to, or implanted in infrastructure of, other States.
- States could be compelled to publish malware codes and companies incentivized to disclose vulnerabilities of products.
- Push States to incentivize companies to produce secure products as a means to increase global security from cyber threats.
- Capacity-building within States must be promoted to address international cooperation and confidence-building measures.
- Establish a global Point-of-Contact network for cyber security, which includes both technical and political levels and an emphasis on establishing dialogue between these levels.
Summary of Main Discussion Points
- At a basic level, regulating the “cyber-sphere” at a global level is complicated by the competing understandings, visions, and definitions of different States, as well as the growing number of States (at least 70) possessing military cyber capabilities. While many agree on the need for a set of principles to abide by, work at the intergovernmental level (UN Group of Government Experts and the Open-Ended Working Group) has not yet been able to produce sufficient consensus because of divergence over a number of main issues. It was felt by many that it would be important that the GGE-OEWG dynamic produces some results in the near future.
- One tension concerns the resistance to the application of existing principle of International Humanitarian Law in a situation where, paradoxically, building new norms is challenged by the general erosion of existing global norms. Further, there is disagreement over how to address core IHL principles in cases of cyber-attacks, such as proportionality and distinction, notwithstanding a common understanding of what threshold applies for defining a cyber-attack itself and what qualifies as an offensive or defensive cyber weapon or means.
- There is a clear split among those wishing to pursue legally-binding instruments for cyberspace and those who propose normative guidelines or confidence- and security-building measures to regulate cyber activities. Thus far, at the intergovernmental level, consensus focuses around addressing those cyber-operations which may be classified as an act of war.
- A central challenge thus revolves around attribution of cyber events: cyber-attacks are often deliberately performed through proxies or by masking the perpetrator. Attaining unqualified technical attribution is viewed as improbable and will likely require a dimension of political analysis.
- At the same time, there exist proposals on the creation of an impartial technical body for attribution work. These look to build an expertise network or institution for resolving technical questions, particularly useful for those many States lacking the resources to pursue the work by national technical means. Such a technical body could potentially be modelled on the IAEA or International Court of Justice, or alternatively, arrange existing CERTs/CSIRTs in a wider international framework to support attribution activities.
- A key point is the strong need for greater information-sharing: a range of measures (e.g. publication of malware codes and other cyber-attack tools and mechanisms) could promote confidence in State assessments and build trust among the international community. Similarly, confidence-building measures could be pursued through bi-/multi-lateral and regional/sub-regional cyber dialogues which emphasize norms of responsible State behavior, the role of international law, and capacity building. There are good proposals for CSBMs available but states are implementing these with very different speed and political interests.
- A serious danger is that the kinetic effects of certain cyber weapons may be disproportionately used or even have consequences beyond the intended effects. While the Stuxnet model (used against Iran’s centrifuge uranium enrichment program) was said to have clear restrictions in its code to not have wider ramifications, there are clear scenarios where cyber-attacks could spiral, having serious national, regional, or international consequences. The group discussed the need to have a broad agreement that would prohibit attacks on critical national infrastructure – including airplanes and public transport, health facilities, critical industrial plants, etc. – that would reduce the inherent risk of using cyber as a military tool.
- With many States eager to maintain a range of cyber means that may cause damage to other State’s critical infrastructure, postures are worryingly evolving to include kinetic responses to cyber-attacks as a means of deterrence. Many participants felt that States should rely on softer means of deterrence, possibly involving a gradated scale from diplomatic interaction, public shaming, to use of sanctions. Although softer measures confront the problem of a certainty threshold in attribution, they reduce instabilities and possible escalations that a reliance on kinetic measures exacerbate.
- Similarly, it is clear that not all threats, vulnerabilities, and actions stemming from the use of cyber tools are the same or produce the same effects. Although the majority of cyber-attacks have low impact, what is not clear is where States understand a threshold of proportional reaction to exist or at what level it could be considered an act of war, particularly according to existing IHL and the UN Charter. It was suggested that risk analysis of cyber threats must be accompanied by analysis of possible consequences: which infrastructural networks the attack was intended for, and the extent of damage. It was strongly felt that such risk analysis needs to be pursued in an impartial way, by a technical body or independent institution.
- Both Artificial Intelligence (AI) and Machine Learning (ML) will accelerate offense and defense techniques for those who can develop it most quickly, and in particular in the context of Lethal Autonomous Weapons Systems (LAWS). But an important caveat was noted that the potential of AI is overexaggerated by a non-expert community and is not currently fully understood or developed from a theoretical standpoint. Questions remain around what the use of AI would mean for existing strategic nuclear weapons systems, the early warning infrastructure and equally for missile defense, both of which are vitally important for arms race stability and for crisis stability. It was also noted that there are risks and intrinsic vulnerabilities inherent in the proliferation of non-mature AI/ML applications in the battlefield.
- One participant asserted that increasing use of autonomous weapons systems (AWS) – as well as the implications on speed of reactions brought about by AI and ML – will lead to a dominance of offensive capabilities, with serious implications for strategic stability due to a lower threshold of the use of force and the possibility that pre-emption becomes the norm. Moreover, the use of AI and ML in AWS will render human in-the-loop involvement unmanageable, thereby compromising the notion of “reasonable human control / significant human intervention” in such weapons systems.
- A central issue therefore is what kind of legislation can be pursued toward regulating the development of (L)AWS and the use of AI in such systems. This raises many questions, including how to define “meaningful” control, how “fairness” might be measured in an algorithm, and how ethics can be embedded in the design of AI-enhanced weapons systems.
- More generally, on cybersecurity, there are a number of multi-stakeholder approaches being pursued. Within the UN, there have been efforts to include governments, civil society, and the private sector in an advisory group format to the OEWG and GGE. However, participation of other stakeholders in the intergovernmental deliberations has been limited and there is a lack of clarity on the extent to which this is influencing outcomes. It was suggested that a more continuous format would be needed in the next ten or more years, with greater coordination, while also permitting the involvement of observers to take part in discussion and participate in decision-making.
- There are also a number of parallel efforts predominately led by industry leaders which address a range of supply-chain cybersecurity norms. In light of these siloed, competing, yet complementary efforts, there was a general feeling that a better division of labor could be implemented, with deeper coordination and an emphasis on industry efforts to transform the spirit of norm consensus into a framework of standards that attract consensus.
- Looking at the range of WMD regimes – A (atomic), B (biological), C (chemical) – it may be useful to pursue a convention against Digital attacks, from which the norm can solidify and spread. However, it should be kept in mind that cyber-attacks have become “part of ordinary life” in a way that other WMD have not been used.
- While not unanimous among the group, it was suggested that it may take a Pearl Harbor-scale incident in the cyber realm to crystallize efforts toward significant change and hard regulation. Unfortunately, there is a major dilemma between freedom of information and speech, and control to prevent misuse or military use of cyberthreats which challenges the notion of “cyber arms control” at a global level.