International community needs restraint, collaboration and transparency to reduce risks of cyber conflict

Around the world, attacks on information and communications technology (ICT) infrastructure have become increasingly common. Recent events, such as the alleged United States cyberattack on Iranian military systems, phishing attacks on Ukrainian government and military officials, and reports of North Korea raising $2 billion through illegal cyberattacks, highlight the shift towards cyberspace as a frontline of conflict. While this trend is not new, it is quickly growing in scale. As the prominence of cyberattacks grows, so too does the need for international restraint and cooperation, for the sake of individuals and their rights around the world.

These recent events have garnered more attention than most, but they are not unique in contributing to international instability. State-sponsored cyberattacks occur frequently across the globe: in just the first five months of 2019, the Center for Strategic and International Studies (CSIS) recorded 39 significant cyber incidents affecting a wide range of state and non-state entities. These incidents involved over thirty countries and are believed to have been carried out by nation-states, independent groups and unknown actors alike.

The challenges these incidents pose to international stability are complicated by the additional risk cyber conflict creates for civilians and businesses. Malicious actors can inflict economic harm, put human lives at risk, and undermine the trust that is essential to an open, free, and secure internet. Moreover, unlike other types of attacks, cyberattacks increase the risk of retaliation aimed directly at domestic and private sector holdings, which are often more vulnerable than high-security state assets.

Regardless of target, cyberattacks increasingly impact the security of civilians and the stability of international relations. Thankfully, the risk posed by such attacks can be mitigated with deliberate cooperation, active communication, and exercised restraint. The Cybersecurity Tech Accord signatories are committed to these efforts and to utilizing our collective expertise to address a variety of cybersecurity challenges. Our work is grounded in a set of basic guiding principles: i) innocent civilians and enterprises should never be targeted by cyberattacks; ii) international cybersecurity discussions need to be multistakeholder in nature; iii) international law and human rights form the basis of international cybersecurity. These are reflected in the following recommendations, which we believe are critical to reducing the risk of cyber conflict:

Establish, implement and uphold international norms

International norms of responsible behavior in cyberspace are fundamental to creating a common understanding of acceptable and unacceptable actions. As such, the Cybersecurity Tech Accord welcomes the creation of two key processes at the United Nations to deal with this issue – the Open Ended Working Group (OEWG) and a renewed Group of Governmental Experts (UNGGE). While we are disappointed to learn that a only a few non-government entities will be able to participate in the first meetings next week, we hope for greater inclusion in the future.  It is our wish that the discussions to come will emphasize consensus, collaboration, cooperative capacity-building, and a firm grounding in international law, just as the 2015 report did, and built further on that basis.

Consider and include multistakeholder efforts

However, previous UN discussions have still fallen short in one key aspect: effective multi-stakeholder inclusion.  In recent years we have seen important substantive efforts in this space, which have been advanced by the multistakeholder community, that should be considered in the UN conversations. First and foremost stands the example of the Paris Call for Trust and Security in Cyberspace, the largest multistakeholder agreement on cybersecurity, of which the Cybersecurity Tech Accord is a proud supporter alongside 450+ other non-governmental entities as well as 65+ governments. We hope that the Paris Call will continue to evolve and provide an avenue for discussion of the principles it has put forward. We strongly encourage the UNGGE and the OEWG to follow this model. The issues we face cannot be solved by governments alone.

Of course, beyond agreeing upon cyberspace norms, the international community must take concrete action to uphold these norms. Again, collaboration between governmental and non-governmental organizations is key to developing these policies. For example, the Cybersecurity Tech Accord is a leading advocate of vulnerability disclosure policies, a private industry practice that aligns with and benefits international cybersecurity goals. In all regards, the inclusion of additional voices in the international dialogue on responsible nation state behaviors is critical to help set the direction for broader conversations and identify appropriate pathways forward.

Develop confidence-building measures

In tandem with emerging international norms of behavior and increased transparency, confidence-building measures (CBMs) are an effective way to contribute to peace and stability in cyberspace, by way of increasing the understanding of intent behind particular actions. Given their potential role in the de-escalation of hostilities, the international community would be well served by agreeing to and implementing a discrete set of CBMs Indeed, the Cybersecurity Tech Accord signatories recently put forward a white paper on the subject, encouraging the development of a shared understanding of key cybersecurity concepts, designating certain facilities as “off-limits”, and fostering cooperation among experts and response teams. These types of measures would meaningfully change the current trajectory of hostilities online.

Overall, as tensions around the world increasingly include an online dimension, the Cybersecurity Tech Accord signatories call on the international community to exercise restraint. We are especially concerned by the outsized impact cyberattacks can have on civilians and civilian institutions. It is critical that all stakeholders recognize that a stable and trustworthy cyberspace remains in the best interest of the international community.