Last year, the Organization of American States (OAS) adopted a resolution stressing the need for its member states to develop a set of confidence-building measures (CBMs) for cyberspace. The objectives of the initiative include promoting trust, improving deterrence, and facilitating greater cooperation in cybersecurity. It is difficult to overstate the importance of this work amidst escalating geopolitical tensions online. Acknowledging this, the Cybersecurity Tech Accord signatories are today publishing a set of recommendations with the hope that they will help make the initiative even stronger. “Promoting international peace and stability by building trust between states in cyberspace: The importance of effective confidence-building measures,” highlights the value of effective CBMs, their potential to improve cybersecurity, and provides concrete guidance for states pursuing such efforts.
To say that cyberspace is a new domain of conflict is nothing new. The proverbial “fifth domain” of conflict has been recognized by military planners for over two decades and, according to research, more than sixty nations today are actively pursuing the development of offensive military capabilities in cyberspace. But while much digital ink has been spilled over this conceptual development, and states continue to rush to create new digital weapons in defense ministries around the world, far less has been done to build the necessary infrastructure to stabilize this domain of conflict in ways similar to the physical domains of air, land, sea, and space.
Diplomats, policymakers and experts from industry and civil society worked over many decades to identify ways to reduce conventional military tensions by promoting greater understanding among nations. Governments today provide advance notice of military maneuvers and exercises, transparency in defense budgets and strategies, and have even established direct lines of communication between heads of state to avoid consequential misunderstandings. Moreover, there have been cooperative efforts to build trust, including between adversaries at the height of the Cold War, on issues such as space research and even travel for years.
All these discrete efforts can be described as confidence-building measures, ways that states engage with each other to reduce tensions. It is not hard to see the value of these activities as they have contributed to the persistent reduction in both the number and scale of conflicts between states over the last century. What is also readily apparent, however, is the absence of much of this deliberate trust-building work in cyberspace. In this domain, capabilities and intentions are still held quite close to the vest and tensions continue to escalate.
There are certainly unique qualities to cyber conflict that have made the adoption of traditional CBMs more challenging, including the relatively nascent frameworks of norms for behavior and the lack of a comprehensive international legal framework from which expectations of behavior could be established. Naval vessels, for example, know that violating the territorial waters of another state is provocative precisely because there are international agreements about what territorial waters are. In addition, the virtual nature of cyberspace makes it inherently difficult to be convincingly transparent about one’s capabilities in the domain, especially as such capabilities are constantly evolving.
Just the same, progress in establishing effective CBMs for cyberspace is essential for the protection of a free and secure internet. And while challenging, there are meaningful steps that can be taken by states which the Cybersecurity Tech Accord enumerates in its report, including:
- Develop shared positions and interpretations of key cybersecurity issues and concepts,
- Appoint a “cyber ambassador” to facilitate engagement and monitor evolutions in capabilities,
- Engage in dialogues around developing clear cyber warfare doctrines, and around international law and cybersecurity norms,
- Develop a list of facilities that are off limits for cyber-attacks,
- Establish channels of communication to respond to requests for assistance from other states,
- Create measures to promote cooperation among legal, technical and diplomatic communities,
- Nurture cooperation between national Computer Emergency Response Teams (CERTs),
- Exercise cybersecurity scenarios, within the government, with key national stakeholders, and with other nations,
- Engage with other stakeholders – from government, civil society, and industry.
These are the kinds of activities that not only promote understanding between nations, but also improve states’ cybersecurity capabilities such that all nations become more secure online. While the pursuit of offensive technology in cyberspace may be unavoidable, nations should be encouraged to prioritize investments in defense. Even more critically, states should dedicate an equal amount of time and energy to engaging with one another to a) share cybersecurity learnings and benefits as soon, and as broadly, as possible; b) ensure their actions and intentions in cyberspace are not misinterpreted, leading to unintentional escalations; and c) increase the role of deterrence in cyberspace. Unlike other domains of conflict, cyberspace is not finite and gains are not zero-sum – when any nation is more secure, we are all more secure.