Ms. Liisa Past MA1
Cyber security – at its core defined as is defending the confidentiality, integrity and availability of data, networks and systems – is often overly mystified. In practice, it is another sphere in which governments assert their interests in conflict and, more importantly, strive to provide a stable and safe environment during peacetime. For this, a stable legal and normative environment is required.
At the same time, the intensifying tensions in cyberspace are highlighted by an ever-increasing level of incidents and attacks. A number of recent campaigns have targeted nations and governments; these are often considered to have been state-backed.
Thus, 9 years ago, when the Tallinn Manual Process started, was perhaps a simpler, more hopeful time. In December 2012 when the Tallinn Manual 2.0 discussions kicked off, it was still hoped and sometimes believed that the lines in the sand regarding state-backed aggression in cyberspace will hold.
Amongst the most prominent of those red lines were the functioning of our democratic processes and our national critical information infrastructure. It was hoped that those two will not be targets of state-backed or politically inspired cyberattacks, at least not during peacetime. It is now clear that the attackers have broken those taboos in the last few years. Elections and participants in the democratic processes as well as water, power and air travel have all been targets of state-sponsored cyber-attacks.
The attacks against power supply in Ukraine on Christmas 2015 and 2016 served as a significant demonstration of the adversarial capabilities, a warning of things to come. By 2017 it was revealed that European and US power – including nuclear - and water systems had been compromised. Those attacks were initially believed to have been targeting business networks, often knocks on the door to map the perimeter. It is now known that the campaigns went further and the impact could potentially have been detrimental to power production and distribution.
The meddling in our democratic systems goes beyond campaign hacks or the compromise of candidates and parties as most notably seen with the campaigns of Emmanuel Macron and Hillary Clinton. Yes, the public most embarrassingly found out what Hillary Clinton's campaign chief John Podesta’s password was after a successful phishing incident, but election officials as well as vendors are now known to have been targeted.
This, in a number of ways, demonstrates the importance of the work that has gone into Tallinn Manual 2.0, particularly in terms of jurisdiction and state responsibility.
The biggest change underlining these attacks are that state-backed players or those directly representing the government agencies no longer operate in the grey zone of strategic ambiguity. The shame of being caught has diminished. The effects of state backed malicious cyber activity go further. This makes attribution more important than ever, not the least as a basis for any response to malicious state-backed cyber activity.
The US agencies have attributed the campaign hacks to Russia. Last May, WannaCry ransomware impacted 150 countries and hundreds of thousands of systems, paralyzing healthcare, production facilities and telecoms. It was attributed to North Korea by US, UK, Australia, New Zealand and Japan. Similarly, the NotPetya wiper was attributed to Russia by an international coalition in a show of solidarity.
Attribution, of course, matters as it can lead to deterrence. However, we need to be careful here, so that we are not trigger-happy. In the past few years, attribution has moved from being a largely technical discipline to something much larger than digital forensics. It balances technical, legal and political elements. And this balance is something states and governments have to consider carefully.
In looking for response options, in particular, the three elements have to be all considered. Attribution cannot be seen as paving way to retribution. This is simply not an option in our agreed-upon international law regime. Therefore the lawyers need to be present through the attribution process. In particular, cooperation is needed to figure out and address thresholds and mechanisms for attribution as well as standards for evidence within states and then internationally. This way we have a sustainable idea of what deterrence might look like.
Up to now, most of the options available in response to cyber attacks are not collective, leaving collective defence in the cyber sphere to be furnished by practice. Currently, governments are at most coordinating responses and countermeasures. It is clear that states are figuring out their diplomatic, cyber-enabled and conventional responses to the facilitators and organizers of nation-on-nation cyber attacks.
EU has recently empowered itself to respond to cyber attacks with a comprehensive set of Common Foreign and Security Policy (CFSP) measures, including diplomatic, economic and restrictive ones, “which can be used to prevent and respond to malicious cyber activities” (http://www.consilium.europa.eu/media/31666/st14435en17.pdf). NATO, having declared cyber space a domain of military operations, serves as the next step of the ladder of collective escalation of response to events in cyberspace. So, state responsibility as it is analysed in the Tallinn Manual continues to be central.
Looking ahead, there are obvious challenges. The use of AI, including possible automated weapons systems poses legal challenges, given how even regulating self-driving cars has been a struggle. The definition of data as military objective has multiple interpretations. However, state practice seems to becoming clearer, even if the legal interpretations are not moving closer to each other. Law enforcements ability to pursue cyber crime across borders needs to be improved, but again, this is up to the respective agencies.
The issues mentioned above refer to relationships between national actors and their actions. As societies and governments, however, we are uniquely and increasingly dependent on international corporations, their goods and services, be it software or equipment. We need to figure out ways, including legal mechanism, to be a demanding customer and have clear standards for supply chain assurance and vendors responsibility.
As governments, we have a pressing need for clarity and legal standards when it comes to cross border dependencies and supply chain management, particularly when dealing with global vulnerabilities such as Spectre. The Y2K bug, now almost two decades ago, was perhaps the first warning that national governments cannot ignore the role corporations play as vendors and supplies and the sort of dependencies we therefore have to be able to mitigate. A non-state problem cannot have a state solution, simply. These dependencies need to be addressed and governments need the international law discussion to move together with these challenges.