There’s no shortage of governments accused of interfering through the Internet in the affairs of other countries. North Korea is allegedly behind the WannaCry ransomware and the theft of money from a bank in Bangladesh, the Russians have been accused of a disinformation campaign during the last U.S. election and China has been fingered for an attack on Canada’s National Research Council.
Is this an era of undeclared constant cyber warfare?
“We certainly seem to be in a constant state of cyber conflict,” says Adam Segal, director of the digital and cyberspace policy program at the U.S.-based Council on Foreign Relations. He shies away from using the word “war” because it has a legal meaning.
But, he agrees that “we are definitely at a place where lots of states see that they can use cyber attacks for espionage or political disruption or coercion, and they can do it pretty much without cost – North Koreans using it to raise money or to punish the U.S. or others for sanctions, and the Russians to use it for interference – and we haven’t made any progress on developing any international rules on how states should behave in this space.”
That lack of progress was most notable last summer when the fourth meeting of the United Nations’ Group of Experts on Information Security — an advisory committee — failed to reach a consensus. The three previous meetings found unanimity on all issues, but the last session foundered on how international law applies to the use of information and communications technologies by countries.
Segal will co-host the annual International Cyber Risk Management Conference in Toronto April 11-12. Sessions include looking at regulatory regimes, cyber risk management from the C-suite, the Internet of Things, a table-top hacking exercise, cyber insurance and resiliency.
Some of these issues will also be discussed at the annual RightsCon conference, this year in Toronto May 16-18.
Segal believes it’s hard for nations to agree on cyber norms partly because they don’t see eye to eye on what should be managed: The U.S. and its allies see destructive cyber attacks as a priority, while the Russians and others are concerned about online content and threats to their domestic stability. But, he added, “we’re probably not far enough along in states developing or using cyber capacity so nobody really wants to give up anything without knowing if it’s worth giving up.”
The failure of the U.N. Group of Experts “was pretty consequential because nobody knows what should happen now. There was some notable progress between 2013 and 2015 on defining some of the norms of state behavior and applying the law of armed conflict in cyber space,” he said, “so where the discussion goes now and where it will happen isn’t clear.” There’s hope the U.N. itself will pick up discussions.
Asked what the odds are the world will split into two on Internet governance, Segal thinks we’re already on that path. “The U.S. and its Five Eye partners [the intelligence-sharing group that includes Canada, the U.K., Australian and New Zealand] and the EU (European Union) are still promoting a global open and secure Internet,” he said. Meanwhile China, Russia and other countries want more state control over the Internet. A third group, he added, including India and Brazil, sometimes seem to align themselves with Russia and China on how the Internet should be governed, but not on censorship and filtering.