So given all this difficulty in building treaties, what the intellectuals are doing right now is resorting to confidence building measures. If you look at what happened in terms of some of the other warfare, like chemical warfare, and nuclear warfare, at the precursor to treaty building we had confidence building measures. So a similar approach is being applied to cyber warfare now. Let's look at some confidence building measures.
So what we will do next is we will examine the typical CBM from other domains and see how they apply to cyber warfare.
The first one is troop movements and exercises. Now why is this important? Troop movements and exercises are important because we want to make sure that somebody's doing a simple exercises does not alert another country into launching retaliatory warfare. So as long as people are informed about troop movements and exercises, there is confidence and these things are predetermined and the other countries can take measured responses, measured access to make sure that they don’t have a compromise on their security. Second thing is the exchange of information about assets. If there's a war going on, there is a risk going on through all the countries in terms of the assets. Each country is trying to make sure that there is parity, or the status quo does not change. If it changes, it changes in their favor.
So as long as people have information about other people's assets, they can measure their own assets and make sure that they calibrate well rather than running into an arms race without knowing what the other person is doing.
Third, exchange of personnel and joint exercises.
This is to basically build cordial relations among military personnels. And so how that helps is it helps basically put person-to-person exchange to help reduce the tension. People meeting physically and it's a better psychological exercise to reduce tensions. Fourth, the communication mechanisms to deescalate situations. Sometimes incidents do happen because of a rogue commander, or because of a boundary which is not clearly defined. In that case, there needs to be hotlines and communication mechanisms. To basically understand what happened, get to the root of it, and deescalate situations rather than to escalate it further.
And fifth, the prohibited weapons. For instance, critical infrastructure. They need to understand that in any domain, what is prohibited. For instance, attacks on hospitals should be prohibited and they are. And whenever there is a white flag or a red cross, those are prohibited targets for being attacked.
For instance, for cyber warfare, that will be the critical infrastructure that these are basically areas that should not be attacked, like the power supply and the water supply and things that impact ordinary citizens.
And lastly, training and education. Having training and education across multiple countries, having training and education together will help people identify and understand each other better and be able to better respond to each other.
And several different organizations are currently pursuing a cyber conference building measure agenda including the United Nations and the Organization of Security and Cooperation in Europe. After 2012 conference to assess the role of CBMs to increase stability in cyberspace. In 2013, the Organization of Security and Cooperation in Europe adopted the first ever cyber/ICT security-related multilateral confidence building measure, or a set of measures. While non-binding, this effort demonstrated diplomatic momentum towards a consensus in creating CBMs.
In the past, CBMs have been used by adversarial states to prevent mutually destructive incidents arising out of misunderstandings.
CBMs were developed during Cold War to prevent accidental nuclear attacks.
They include a variety of measures, as we discussed, above, including communication channels such as hotlines and exchange of,
Exchange of information or troop movements as we discussed above.
As well as notification of military exercises and CBMs are to prevent unintended escalation of incident where miscalculation, misinformation, or misattribution of an incident. Such measures for cyberspace could help avoid a full-scale war and prevent escalation of an innocuous incident into a kinetic attack or conventional warfare. The goal is to reduce tension and make the behavioral states more predictable while facilitating communication about their adversaries and establishing constraints on military operations. CBMs, for cyber warfare, are aligned across four dimensions. Communication. Constraint. Transparency. Verification.
While CBMs have been difficult, effective in respect to nuclear, conventional and chemical warfare, there are challenges that need to be addressed with respect to their applicability to cyberspace.
First, communication measures to seek to enhance mutual understanding of each other's capabilities and reduce the element of surprise by rivals or adversaries.
Information about group movements, exercises, and other maneuvers are often exchanged in conventional military personnel exchanges and joint training and tabletop exercises. In addition, hotlines are established among senior officials to defuse crisis situations and prevent them from escalating. The fundamental problem in cyber domain is that there is very little trust in the information exchanged. The operational activities of cyber warfare are camouflaged and often conducted through proxy groups.
Consequently, there is very little information that the governments can share and which can be verified. What they can share is primarily information about activities of terrorist groups.
They may also establish communication channels to diffuse situations during real incidents or establish cells that communicate with each other. Constraint measures are typically created to reduce possibilities for surprise military attacks, include placing limits on troop movements and exercises
as well as establishing de-militarized and weapons-free zones. The hard truth in cyber warfare is that each state is engaged in strategically positioning themselves for cyber warfare.
States are blaming each other for activities that they themselves are engaged in. Given that states want to explore new avenues for using their cyber capabilities, they resist allowing themselves to be shackled by constraint measure.
It may be difficult to build broad consensus on the entire field of activities that many consider cyber warfare. However, common ground could be perhaps found on issues such as protecting critical infrastructure and financial institutions.
Attacks on critical infrastructure can have disastrous consequences for the general public. Can cause mutual hardships among states and attacks on financial systems can destabilize an increasingly connected world economy. And really, really hurt the economic progress of the word, leading us to a depression that could be very dangerous.
Transparency in cyber domain is also very difficult because unlike in conventional warfare, misdirection is not only possible but is frequently used to deflect blame.
As we can elaborate below, anonymity on the Internet makes attribution hard, if not impossible.
Verification measures are critical to building trust among adversaries, including measures to allow adversary states to monitor military facilities, plans, and arsenals. Monitoring can be done bilaterally or through trusted parties, such as the UN or the OSCE.
Conventional verification measures include site visits, satellite imaging, photography, and ground intelligence based on third parties. In the cyber world, the analogous verification would be very difficult, unless it involves defection of hackers from one country to another.
One possible verification measure would be to create an international computer emergency readiness team, with personnel from multiple countries working together on international incidents.
Where the actions of all the countries are coordinated. However, inner trust, again, is still lacking among countries, and each country would be accusing another country of spying for each other. So again, there lies the difficulty of trust. As evident from the discussion above, many agreements on confidence-building measures and treaty formulations are stymied because of limited technical means of verification.
Mutual distrust based on past conflicts among nations, coupled with problem of attribution has made consensus building seemingly intractable.
Consequently, consensus can only be reached on fairly generic goals with specifically delineated communication constraint, transparency and verification measures.
In light of limited means of verification, negotiations towards CBM agreements, other treaties may seem rather futile. However, there are techniques and technological developments that may improve attribution in the future and provide more attraction for consensus building on cyberspace treaties and CBMs. For now, it looks like CBMs are the most potent way to go forward and probably the most benign way of moving forward given the mutual distrust that we have in cyber space.
The hard truth is that each country is engaged in strategically positioning themselves in cyber warfare. Countries are redefining their military doctrines to include cyber warfare as a critical arena of conflict. And the cost to acquire cyber-weaponry is much lower than that for conventional weapons acquisitions, so countries are considering cyber warfare as a way of balancing asymmetry in conventional weaponry. At the same time, countries with favorable military strength are investing heavily in both cyber offense and defense to ensure the continuation of asymmetry, leading to a cyber arms race. The countries are blaming each other for activities that they themselves have engaged in. Not really the ideal situation for building trust.
So it is hard to build confidence at the same time as countries race forward to overtake each other in developing cyber weapons. Distrust lingering on from the Cold War and new development in the Ukraine do not help the cause of corporation. It would be such a waste to see all the good will that the countries have built to be just squandered away. I sincerely do hope that we are able to find common ground and a way to move forward through the current geopolitics and create international laws that can help redefine the way we do business in cyberspace.
http://ict4peace.org/wp-content/uploads/2015/04/processbrief_2013_cbm_wt-71.pdf
No comments:
Post a Comment