Cyberspace security is too often viewed through a prism of technological terms and concepts. In my experience, even supposedly non-technical discussions of cyberspace quickly devolve into heated debates about “vulnerability coordination”, “the latest malware”, “the best analytical tools”, “threat information sharing”, and so on. While these are interesting and important topics, it is ultimately people and their personal perspectives – not technology – that largely shape governments’ political, diplomatic and military choices in cyberspace.
At the heart of government’s “human” decision-making in cyberspace are understanding and trust. The two are not the same. It’s possible for one state to understand another’s capabilities in cyberspace but not to trust their intentions. The reverse is also true, with trust existing outside of understanding another’s capabilities. But, by and large, some level of understanding about what another state can and can’t do in cyberspace should at least reduce distrust. And that can help governments make rational judgments about each other’s behaviors as well as de-escalate tensions between and among states.
One significant complication in building understanding and diffusing distrust is the fact that many systems useful in cyber-defense can also be used in cyber-offense. When a state invests in cyber to defend itself, its rivals might instead see a growth in offensive capabilities. This is not a question of technical understanding but rather of reading the intent of others. A very human response to someone seemingly gearing up for conflict is to build at the very least one’s own defenses (and to, potentially, even increase one’s offensive as well as retaliatory capabilities). Such a move is, however, equally liable to misinterpretation by others. Thus, escalation spreads, trust evaporates, and distrust balloons, leaving cyberspace, on which so much of modern life depends, akin to a powder keg, ready to explode. The potential for a cyber arms race is as real as it is dangerous.
An essential response to this critical challenge is the use of confidence building measures (CBMs) between states. Today, CBMs are still generally seen as vectors for instilling good cybersecurity practices, especially during a country’s early entry into cyberspace. Certainly, CBMs can help such countries counter the threat of cybercrime, and can also help promote international consistency in cybersecurity approaches, which is an essential part of combating cybercrime. However, CBMs are much more than this.
Coming of age under the threat of Cold War nuclear annihilation, CBMs enable states to minimize exactly the kind of misunderstandings that fuel distrust and exacerbate tensions. In many ways, they are akin to pressure valves for states to use before a situation escalates into conflict. CBMs can help states step back from thinking, “We need to get our cyber-retaliation in first”. They may not lead directly to trust but what they provide is manifestly better than its absence. They have a manifest role to play in ensuring the safety and stability of cyberspace by reducing the risk of cyberwar from breaking out. As such, they can be a necessary prerequisite to building trust.
CBMs are already being built into critical state-to-state cyberspace agreements. The UNGGE 2015 (voluntary) norms placed CBMs at the core of responsible state behavior in cyberspace. In the UNGGE’s words, they “allow the international community to assess the activities and intention of States”. That assessment of actions and intent is absolutely essential to addressing the human perspective. The UNGGE leveraged previous work done in the framework of the Organization for Security and Co-operation in Europe (OSCE), namely its 2013 CBMs. In this respect, it is significant that just last year the OSCE expanded on its CBM work precisely because, “events in cyberspace often leave room for ambiguity, speculation and misunderstanding. The worry is that miscalculations and misperceptions between states arising from activities in cyberspace could escalate, leading to serious consequences for citizens as well as for the economy and administration, and potentially fueling political tensions.”
A failure to mature and refine CBMs globally adds to distrust and militarization in cyberspace, i.e. the aforementioned cyber arms race. The consequences of the “miscalculations and misperceptions” that the OSCE warned of can easily move from the virtual world to the real one. For example, 2010’s so-called “Pakistan-India cyberwar” saw “cyber armies” from each country vandalizing official websites, exacerbating serious diplomatic and military tensions after the 2008 Mumbai terror attacks. Furthermore, recent tensions between parts of the West and Russia, North Korea or even China all feature strong elements of “cyber-distrust”. The danger, of course, is that once there is “cyber-distrust” among states it is likely spread into other spheres, if left unchecked, and vice versa.
So, if the human perspective matters at least as much as the technology when it comes to government decision-making about cyberspace, all parties should take every opportunity to promote understanding and reduced distrust between states. We should use whatever tools seem most appropriate to do so, . CBMs are essential in this regard. They are and remain a key tool in the cyber peacebuilder’s toolkit.