“Boiling point” reached: Cybersecurity Tech Accord launches the first Annual State of International Cybersecurity Thermometer

Launched in 2018, the Cybersecurity Tech Accord is a coalition of more than 150 global technology companies committed to foundational cybersecurity principles for responsible industry behavior. In the years since, the coalition has served as the voice of the technology industry in discussions around peace and security online as the world has continued to sleepwalk into seemingly ever-escalating cyber conflict. This trend is untenable, and the international community should not simply accept that with each passing year the breadth and severity of malicious activity online will escalate – especially when it comes to state cyber operations.

To help address this, as part of the celebrations for our 5-year anniversary, the Cybersecurity Tech Accord is launching the “State of International Cybersecurity Thermometer”, an annual assessment provided by our community of industry experts. The assessment is included in our 5-year anniversary report, which can be accessed here. The Thermometer aims to take the “temperature” of current cyber conflict, evaluating developments over the past year and their contributions to overall cyber stability and security. This evaluation will be expressed on a Celsius thermometer and based on common water temperatures for reference, with the following scale in mind:

100° AND ABOVE: CYBER WARFARE

This “gaseous” state reflects the chaotic and dangerous conditions past a boiling point. This would suggest the use of cyber operations – for destruction, espionage, and influence – in the context of an armed conflict or war that has harmed and/or targeted civilians. While the scale and severity of such cyber warfare can vary, this abuse of technology that harms innocent people is obviously the worst-case scenario. Evidence of this would be the wonton use of cyber operations in warfare in violations of international norms and/or international legal requirements that puts non-military targets at risk.

0° – 99°: CYBER CONFLICT

This “liquid” state reflects some degree of cyber conflict short of armed conflict or warfare. It would be characterized by a lack of clarity around international expectations online and/or some degree of inability to uphold or enforce such expectations. Evidence of this would include reckless cyber activity by nation state actors, regularized abuses by other sophisticated actors, and limited progress in diplomatic forums to advance a global framework for responsible state behavior online.

LESS THAN 0°: CYBER STABILITY

This “solid” state reflects stability in international cybersecurity. It would require the existence of a clear rules-based order online with a robust international system in place to uphold such expectations. This would be characterized by a scarcity of statesponsored cyber operations that violate international norms, as well as limited threats posed by other sophisticated actors.

Cyberspace has emerged as a distinct domain of conflict, as evidenced by the growing number of states dedicating military and diplomatic resources to it and the increasing frequency of offensive cyber operations. As with other physical domains of conflict, it is essential to build the necessary rules, processes and institutions to promote stability, security and human rights online, and to discourage abuses. In evaluating the annual state of cyber conflict, the Cybersecurity Tech Accord considers significant developments from the past year across three criteria: (i) diplomatic and institutional progress, (ii) the scale and nature of cyber conflict, and (iii) technological developments.

In 2023, the Cyber Conflict Thermometer now reads 100°, the “boiling point”. This evaluation is based on several increases in cyber conflict in the past year, most notably the widespread use of cyber operations in Russia’s war in Ukraine that began in 2022. Despite some positive signs of necessary institutional development to address escalating cyber conflict, there was insufficient diplomatic progress in the past year to suggest that the international system is prepared to promote accountability for behavior that violates established international expectations. We consider this a shift in the wrong direction, as the temperature would have been considered below 100° in prior years.

Major indicators and developments in past year driving this evaluation:

Diplomatic and institutional progress

Limited progress within UN working group: Negative
In the face of rising geopolitical tensions and the widespread use of cyber operations in
warfare, the UN working group tasked with deliberating responsible state behavior online
has made very limited progress. The working group has consistently voted to exclude
participation of relevant nongovernmental stakeholders, including the Cybersecurity
Tech Accord and other industry voices, in a series of formal substantive meetings over
the past year. Unfortunately, there has been seemingly no political will among member
states for cooperation in establishing accountability measures or necessary new norms for
responsible behavior online. The UN General Assembly also voted to establish a “Programme
of Action” on cyber in the past year that could serve as a more robust and inclusive
body in the future, but much will depend on how it is structured and implemented.

Global investment in cyber diplomacy: Positive
It’s important to have the necessary diplomatic capacities to engage on matters of peace and
security online as geopolitical tensions rise. It was encouraging to see the United States (US) last
year pass the Cyber Diplomacy Act and elevate the status of these issues by establishing a new
Bureau for Cyberspace and Digital Policy at the State Department, led by a new Ambassador-atLarge. Similarly, the European Union (EU) debuted a more streamlined approach and expanded
investment in digital diplomacy last summer when it announced plans for a new office focused
on these issues to be opened in Silicon Valley. Meanwhile, Singapore continues to advance cyber
diplomacy capacity building via its investment in the ASEAN-Singapore Cybersecurity Centre of
Excellence (ASCCE) that provides associated trainings and workshops with partner countries.

Scale and nature of cyber conflict

Cyberwar in Ukraine: Negative
Beginning in February of last year, cyber operations have been regularly employed in the world’s
first ever large-scale hybrid war: Russia’s illegal invasion of Ukraine. This unprecedented
use of cyber capabilities – both destructive attacks and information operations – has been
coordinated with kinetic activities and targeted both government and civilian infrastructure.
This has included reports of cyberattacks against the most sensitive infrastructure,
including nuclear power plants, illustrating that apparently no targets are off limits.

Multistakeholder response in Ukraine: Positive
While the use of cyber operations by Russia in Ukraine has been a very concerning
development, the response from industry and civil society has been a bright spot.
Numerous companies, including many Cybersecurity Tech Accord signatories, stepped
up early in the conflict to provide support to protect sensitive Ukrainian data and
infrastructure from cyberattacks. This included hardening defenses, migrating data to
more secure environments, and in some cases, taking action against cyber operations.

Escalating numbers of sophisticated attacks: Negative
The scale and sophistication of cyberattacks continued to increase in raw numbers over the
past year. According to data maintained by CSIS, there were more than 130 “significant cyber
incidents” reported in 2022, continuing an upward trend of more than a decade now.

Aligned opposition to cyber mercenaries: Positive
The market for cyber mercenaries — private companies that develop offensive cyber
tools — has been growing for years. But in recent months, we’ve witnessed increased
unified opposition to their use. This was reflected in an Executive Order from the Biden
administration in the US that curbs their use, as well as the principles on how industry
can push back on cyber mercenaries released by the Cybersecurity Tech Accord.

Rise of “hacktivist” groups: Negative
Beyond government-led cyber operations, the invasion of Ukraine has also brought
about a significant rise in activity from politically motivated but independent
malicious hacker groups on either side of the war. And the phenomenon is not
limited to that one theatre, as there has been a notable spike in hacktivist activity in
recent months around the world spurred on by geopolitical tensions elsewhere.

Technological developments

Attacks on ICT supply chain: Negative
Over the past year there has been increased targeting of the ICT supply chain, in
particular by state actors – compromising technology elements to target users
and customers downstream. This kind of compromise, including the targeting of
software update mechanisms, is inherently indiscriminate and irresponsible as it
involves compromising numerous unintended computer systems in the process.

Rise of Artificial Intelligence (AI): Positive
Certainly, the largest technology story of the past twelve months has been the rise of nextgeneration generative AI programs. Given the novelty of this advancement, it is difficult
to determine what its full impact will be on security across the digital ecosystem. Early
benefits will include security applications that help to address the cybersecurity skills
shortage by improving analytics, security practices, and automating certain processes
at scale. To be sure, there will also be malicious applications to support offensive
activities, but on balance near-term applications will help improve ecosystem security.

Taken together, despite some positive accomplishments, the major events of the past year have
served to increase geopolitical tensions and conflict online to an unprecedented level. We look forward
to working across diplomatic forums as a coalition and in our respective capacities as technology
companies over the next year, to promote a rights-respecting and rules-based order for the online
world to better protect our users and customers everywhere. We are hopeful that when we revisit this
evaluation in 2024, the temperature of cyber conflict will have cooled significantly around the world.