Who would have predicted that one day we would regret the competition between the nuclear powers? Cyberwarfare could be as dangerous as nuclear risk. Why ? Because we had learned to manage this one. Not this one yet. And that a poorly controlled cyber-conflict can trigger the traditional process of climbing to extremes. For a few years now, the European Union has strived to develop its cybersecurity capabilities amid multiplied cyberattacks on both European businesses and public services. In parallel, European countries developed their strategies towards the cyberspace. Nevertheless, within the union, not everyone is in the same boat.

What Is Exactly the Cyberspace?

The expression cyberspace comes from science fiction. William Gibson, considered as the founding father of the “cyber punk”, a very peculiar style of science-fiction, used the expression for the first time in his novel “Neuromancer” (1984). He describes a world governed by powerful computers to which men are connected by a neural chip implanted in their brains. Cyberspace was born in science fiction. Thus, it is not surprising that it was developed within a libertarian and protesting ideology.

This is the probable reason why the Internet began evolving into an ideal of democracy without government, as described in the “Cyberspace Manifesto[1]. The author of the declaration, John Perry Barlow, distinguishes the cyberspace from the physical space and points out that there is no more monopoly of legitimate violence and, therefore, no more state power. Although he might have been right in 1996, the truths of yore are no more. It was obvious that the Internet could not remain without regulation forever as, in fact, no field of human activity ever completely escapes the law. The density of regulation can vary considerably; can be limited to a minimum when it is necessary or, on the contrary, can be extremely abundant when it comes to sensitive fields (i.e. weapons, sensitive technologies, hazardous activities, etc.). However, it is never nil.

Since the Internet is now central to our society it is inevitable that states act on it and, although being fragmented, it is already regulated. From this point of view, the libertarian ideal remains partly an utopia. Yet, the existence of a regulation is also a guarantee of protection against the instrumentalization of freedom. As Grotius wrote: « where judicial settlement fails, war begins« [2].

The emergence of states’ implication on the web does not mean that the latter should be deprived of its characteristics of openness, freedom and unhindered circulation. For example, access to the Internet is considered by all democratic nations as a fundamental right that is as much about freedom of expression as it is to undertake or protect one’s private life. From this point of view, the libertarian ideal is not dead. The Internet remains somehow a res nullius, and, as such, it would be outrageous to fence it with barriers of censures. Somehow, History repeats itself. While Grotius defended regulation, he also defended the sacred right to oppose those who hindered access to the high seas, which, according to him, could not be seized by anyone. It is the same truth for the Internet: it includes a libertarian component sui generis, and a necessary regulated component. The problem is that no known scheme of the theory of the state is available specifically about the Internet. It is not a territory like the others, it has no fixed boundaries. It is essentially a constant flow of data. Despite, its particularism, there are three approaches to the Internet[4].

a1489234523_10
John Perry Barlow – A Declaration of the Independence of Cyberspace

Firstly, the Internet can be conceived as an artificial portion of the territory of a state. The latter would therefore have a geographical territory and a specific digital territory. It’s the isotopic approach. Secondly, it can be thought of as a totally autonomous territory and distinct from physical territories. It is then the virtuality of the Internet that typifies it, regardless its roots and effects in real life. It is the utopian conception. Finally, it can then be viewed as a separate territory that crosses physical territories. It exists through them but transcends them in many aspects. In this case, we are talking about the heterotopic conception. It is, by nature, international[5], which automatically excludes national regulation, and necessarily calls for an absolute and complete regulation at the international level.

The third conception seems to be the one that best adapts to reality. It is obvious that the Internet has an intrinsically international dimension. Cyberspace cannot be controlled from one State, and it is illusory to pretend controlling it completely. Internationality and freedom are its essence. However, it passes through the territory of the States[6]. It is not ethereal as the data is composed of electrical signals. Activities on the web can have a direct effect on the territory of the states. Furthermore, a cyberattack only makes sense because of damage caused and the weakening of the target. For example, the attack on the alleged nuclear power plant in Natanz, Iran, before the conclusion of the agreement on Iran’s civilian nuclear power, substantiates it easily. The aim was, for US and Israeli services, to damage a reactor that could be used to make hydrogen bombs. Without physical effects in situ, the cyberattack would have had no interest. It the same with online economic activity. However, Facebook’s data collection and analysis activity on the Internet, and the billions of dollars of its revenue per year are real. Without real revenues, there would have no reason to exist. Any remote activity on the net also has a local cause or effect[7].

Furthermore, it is admitted that the “cyberspace” is composed of three layers. The first is the physical layer. It regroups all the connected devices (computers, connected objects or others), physical links that binds them (telephone line, fibre optic cables, satellites, etc.), storage devices (from the RAM of a personal computer to a data centre, from the USB key to the cloud). The second layer is the digital layer. It is physically composed of binary entries convertible into analogical signals (electrical or radio type). This is the most visible part of the Internet. Finally, the third layer is the legal layer. This is the regulation that decides which part of the Internet is accessible or not. It is this layer that makes that a user can no longer find on a search engine a dereferenced result (i.e. on the basis of the right to be forgotten, because of its pedo-pornographic content or, in a non-democratic country, censorship). The legal layer is undeniably crucial of the access and the use of the Internet.

Why Care About the Cyberspace ?

Cyberspace is a growth factor that profoundly modifies economies and human relations. Even today, it is difficult to seize all its societal impacts. Moreover, the rapid evolution of technologies such as Artificial Intelligence or robots does not make it easier to apprehend it. Therefore, its impact on our cognitive and economic behaviours, added to the emergence of new economic sectors, put it on the top of our concerns.

Cyberspace is also a field of conflicts where malicious acts are in full swing. It is a major issue for international security. In a 2015 report, the United Nations Group of Governmental Experts (UN GGE) expressed concern over the dramatic rise in incidents involving malicious use of ICTs[8] against vital states’ infrastructure as well as at international companies. In 2016, more than 4000 daily ransomware attacks were launched[9] around the world and more than 80% of companies in the European Union (EU) have been hit by a cyberattack.

Unlike the “usual” war, belligerents of the cyberwarfare are far more diffuse. Therefore, the responsible of a cyberattack might never be clearly determined. It can be states, proxies (intermediary groups with more or less links with states), terrorists, mafias, “black hat” hackers[10]  or private companies in the business of cyberattacks. Yet, private actors certainly possess a cyber strike force similar to the States and might be less reluctant to use it.

outputlsl2i4
Norse’s real-time cyberattack map.

Thinking about “The future of Cyberwarfare

As settled in , the European Commission started off its cybersecurity improvement strategy back in 2013[11], seeking to address the growing menace as it is indeed perceived by many Europeans. The strategy therefore classifies four major priorities to enhance cybersecurity at the supranational scale, and hence citizens’ security within the European cyberspace:

  • “Freedom and openness: the strategy outlines the vision and principles on applying core EU values and fundamental rights in cyberspace.
  • The EU’s laws, norms and core values apply as much in cyberspace as in the physical world: responsibility for a more secure cyberspace lies with all players within the global information society, from citizens to governments.
  • Developing cyber security capacity building: the EU engages with international partners and organisations, the private sector and civil society to support global capacity building in third countries. This includes improving access to information and to an open internet and, preventing cyber threats.
  • Fostering international cooperation in cyberspace: preserving open, free and secure cyberspace is a global challenge, which the EU is addressing together with relevant international partners and organisations, the private sector and civil society.”

At the Tallinn Digital Summit in 2017, the Commission proposed[12] 6 measures to reinforce the EU’s resilience, deterrence and response to cyber-attacks. This resulted in a proposal for a “Cybersecurity Act”[13].

The first measure is to reform the European Union Cybersecurity Agency to assist Member States in dealing with cyberattacks. The European Union Agency for Network and Information Security (ENISA) contributes to securing Europe’s information society by raising “awareness of network and information security and to develop and promote a culture, of network and information security in society for the benefit of citizens, consumers, enterprises and public-sector organizations in the Union”[14]. Therefore, the reform aims at better defining the role of ENISA in the changed IT security ecosystem and develop measures on IT security standards, certification and labelling to make ICT-based systems, including connected objects, more secure.

The second measure’s goal is to develop an EU-wide certification framework to ensure that products and services are cybersecure. It will provide EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures and the certification will attest that ICT products and services that have been certified in accordance with such a scheme comply with specified cybersecurity requirements.

The third measure is to build a Blueprint for a coordinated response to large-scale cross-border cyber incidents. Therefore, the ENISA will contribute to the development of a cooperative response, at Union and Member States level, to large-scale cross-border incidents or crises related to the cybersecurity through a series of tasks from contributing to establish a situational awareness at Union level to testing the cooperation plans for incidents.

The fourth measure aims to establish a network of competence centres in the Member States and a European Cybersecurity Research and Competence Centre to help develop and roll out the tools and technology needed to keep up with an ever-changing threat.

The fifth measure involves presenting a new Directive to combat fraud and counterfeiting of non-cash means of payment[15]. The Council of Europe Convention on Cybercrime (Budapest Convention)[16] , in its Title 2 covering computer-related offences, requires the Parties to the Convention to establish computer-related forgery (Article 7) and computer-related fraud (Article 8) as criminal offences under their respective domestic laws. As it has been mostly respected, the aim is now to enhance cooperation among police and judicial authorities and between law enforcement and private entities even further.

The sixth and final measure is to strengthen international cooperation on cybersecurity, including deepening of the cooperation between the EU and the North Atlantic Treaty Organisation (NATO)[17]. Indeed, an effective response to large scale cybersecurity incidents and crises requires swift and effective cooperation amongst all stakeholders and relies on the preparedness and capabilities of individual Member States as well as coordinated joint action supported by Union capabilities and the NATO.

In the light of the above, it is easy to understand that when it occurs to cybersecurity and, by extension, cyberwarfare, “cooperation” is the key.  Whether it is cooperation between Member states, between the Union and its Member states or between the Union and other international organizations such as NATO. Nonetheless, it is much less easy to grasp the interactions among each other.

On April 11th, 2018, the Brussels Office of the Antall József Knowledge Centre and the Wilfried Martens Centre for European Studies organised a conference on the future of Cyberwarfare and gathered leading officials from supranational organisations, Hungarian diplomatic officials, and experts from countries at the forefront of enhancing cyber-defence capabilities through capacity-building and deeper international cooperation. The conference was divided in two discussion panel. The first panel discussion was dedicated to the topic of countering the complex threat of a cyber-war on a supranational level. It posed the question whether the tools currently available to our international organizations are sufficient for protecting the state and its citizens in a digital era. The second panel discussed the issue of cyber-attacks from individual nation states’ point of view, focusing on national security strategies.

IMG_3366
Conference on the Future of Cyberwarfare, April 11th, 2018

Speakers eluded the “aggressive” part of “cyberwarfare, that is to say, cyberattacks and rather preferred focusing on preventive and defensive measures adopted and developed by states and supported by supranational organisations (EU, NATO and the OSCE for this case). Of course, the perennial question of the application of current international law in cyberspace has come to the fore. Nonetheless, should we not bring the debate back and take for granted the option of the EU and NATO which call for an application of current International law to the cyber-domain. However, it can be unanimously said that the current law is insufficient to address the current challenges.

Yet, the evocation of the “cyber-diplomatic toolbox” caught the attention. Indeed, before a full-scale cyberwar erupts, it should be provided a clear framework to avoid conflict and employ conflict prevention and confidence-building measures. For example, on June 7th, 2017, the Council of the EU approved the establishment of a framework for a joint diplomatic response by the EU to malicious cyber activities[18]. The established framework encourages cooperation, facilitates the reduction of immediate and long-term threats, and influences the behaviour of potential aggressors in the long term. This is part of the EU’s commitment to settle international disputes in cyberspace by peaceful means.

On the EU and NATO’s cooperation, a Technical Arrangement on cyber defence cooperation was signed in February 2016 in order to strengthen the cooperation on cyber defence, notably in the areas of information exchange, training, research and exercises. Cyber-defence is, for NATO, part of the Alliance’s core task of collective defence. Therefore, its top priority is the protection of the communications systems. Moreover, although NATO affirms that international law applies in cyberspace, the main issue remains the threshold of cyberattacks to trigger article 5’s disposition. This article provides that if a NATO Ally is the victim of an armed attack, each and every other member of the Alliance will consider this act as an armed attack against all members and will take the actions it deems necessary to assist the Ally attacked. Jens Stoltenberg, the NATO Secretary General, affirmed that a cyberattack could trigger Article 5 in the same way as a conventional military assault.

On a less coercive and more cooperative level, the Organisation for Security and Co-operation in Europe (OSCE) also plays a role in today’s preparation for the cyberwarfare of tomorrow. The OSCE is a security-oriented intergovernmental organization which mandate includes issues such as arms control, promotion of human rights, freedom of the press, and fair elections. Its approach to security encompasses politico-military, economic and environmental, and human aspects. So, the OSCE bases its cybersecurity’s preparation on Confidence Building Measures (CBMs) such as the exchange of military information or measures on the control of small arms and conventional ammunition. It aims to build assurance between states. For example, one of the most successful CBM is the Communications Network, which complements traditional diplomatic channels with secure and reliable infrastructure that enables information exchange and dialogue.

Individual State’s Preparation for Cyberwarfare

Each state has to possess a sufficient degree of cyber-resilience, as no outside power can fully supplement national efforts when it comes to cyber-protection and rebuilding systems during an attack. However, national efforts cannot be sufficient on their own, and developing a strong international cooperation is necessary. On the national level, a cross-sectoral cooperation is also required between governments, business sectors, and academia, to create and maintain a resilient national cyber domain. In order to apprehend how different countries deal with cybersecurity, we will develop three approaches within the EU: France, Spain and Hungary. This choice is justified by the difference in the perception of cybersecurity. Firstly, France is sometimes considered as a cyber-power, not as much as the United States, Russia or Israel but still is considered as a valuable asset for Europe. Secondly, Spain lagged in building a coordinated cyber-defence until the late 2010. However it is now a country that has a fully operational cyber-strategy. Finally, although it is one of the first countries of Central Europe to draw a cybersecurity strategy, Hungary formulated it in 2013 and is still processing it.

France

France’s national cybersecurity system is based on two key texts: the 2013 White Paper on Security and National Defense and the 2015 National Digital Security Strategy. It is intended to support the digital transition of French society, respond to new challenges arising from the evolutions of digital uses and related threats. Since the modification of the Defence Code in 2013, the Prime Minister conducts the French cyber security policy and sets out the rules regarding the enforcement of the security of the information systems. The National Cybersecurity Agency of France (“Agence nationale de la sécurité des systèmes d’information” (ANSSI)) was created in 2009 and aims at fostering a coordinated, ambitious, pro-active response to cybersecurity issues in France.  The agency intervenes against state systems and operators of vital importance (OVI) and accompanies the reconstruction of targeted information systems. Its role is also to anticipate, monitor, sensitize, train and develop a virtuous ecosystem capable of prevent and detect attacks. ANSSI also has a mission to prevent computer attacks by protecting state systems and OVIs, by anticipating attack modes and defining protective measures. Along with the creation of the ANSSI, the overall management of cyber security policy in France was extended to the Information Systems Security Strategic Committee (comité stratégique de la sécurité des systèmes d’information). Under the supervision of the Secretary General for Defence and National Security (secrétariat général de la défense et de la sécurité nationale; SGDSN), this committee coordinates and implements measures pertaining to the security of information systems.

Spain

Spain lagged in building a comprehensive and coordinated defence initiative to cyber risks and threats. It was done for the first time in the National Security Strategy (Estrategia de Seguridad Nacional, ESN) of 2011 which listed cyber threats and cyberattacks as among the main risks to national security. However, cybersecurity is now at the top of the agenda of the government and the formation in July 2012 of the National Security Department (Departamento de Seguridad Nacional, DSN) under the Prime Minister’s Office significantly boosted to the development of national security. The National Cyber Security Strategy (Estrategia Nacional de Ciberseguridad, ENCS) was adopted in December 2013 and is now the principal document for cyber security in Spain. In October 2014, the National Cyber Security Council adopted the National Cyber Security Plan, after identifying the challenges faced by Spain, by defining the action guidelines for the next two years to achieve optimal implementation of the objectives outlined in the ENCS. Its mission was implemented through a series of Derivative Action Plans such as strengthening and improving capabilities, and ensuring cooperation on cyber security and cyber defence, guaranteeing the security of the ICT systems of the Administration, protection and resilience of the ICT systems that support critical infrastructure, activation of the resources available to fight cybercrime and cyber terrorism, protection and resilience of the ICT systems of the private sector, boosting industrial development and professional training, and increasing RDI, fostering the culture of cyber security, international cooperation with countries in the EU and elsewhere and exchange of information on threats.

Hungary

The National Cyber Security Strategy of Hungary (NCSS) was adopted in 2013. The document is based on the foundations of EU and NATO cyber security principles and follows the mainstream take on cyber security strategies (values, environment, objectives, tasks, and tools). Based on a comprehensive approach, it states a cooperation between the state and non-state actors; military and law enforcement; and economic and political stakeholders. The NCSS also provides for the establishment of the highest political coordination body, the National Cyber Security Coordination Council under the supervision of the Ministry of Interior. The daily operative work is executed by the national cyber coordinator, who is coordinating the connected Cyber Security Working Groups (e.g. Homeland Security, Child protection, e-Government) as well, with the support of senior experts. Finally, a Critical Infrastructure Cyber Incident Response Centre was established within the framework of the National Inspectorate General of Industrial Safety of NDGDM. The main missions of the Centre are ensuring and contributing to network security of critical infrastructure elements, treating of industrial security incidents, training, and participating in industrial and network security exercises

As previously stated, belligerents of cyberwarfare are far more diffuse than a “normal” war. When “normal” citizen gets on the Internet, no boundaries or established armies can protect them from immediate arms and malicious acts. It is known that a computer is always as powerful as the weakest of its components. It is the same in cybersecurity where, most of the time, the weakest factor is human. Cybercriminals prefer to exploit human negligence rather than software security breaches to achieve their ends. In 2017, more than 75% of cyberattacks were due to human error. Therefore, each cybersecurity strategies must necessarily include citizen training on the basics of cyber-defence. Likewise, it is important to underline the recent inclusion of “cyber citizen participation” in national cyber-defence strategies. In France, in 2012, an initiative to create the Cyber Citizen Reserve (Réserve citoyenne cyberdéfense, RCC) was launched. It aims at engaging and relying upon opinion-formers in order to explain, raise awareness, and organise events that will contribute to making cyber defence a national concern and priority, while emphasising the sovereign aspects of cyber defence.

 In the light of the above, we reach an obvious conclusion: the transnational nature of the web renders all unilateral attempts of protection illusory, although it is questionable both legally and technically to admit that a State or a group of States can impose their own conceptions throughout the global digital space. In the absence of an international convention on the specific cyberwarfare, or “custom” that does not exist, the protection of individuals is and will for a certain period remain subject to the vagaries of the unknown.

Jean-Hugues Migeon

 

 

[1] John Perry Barlow, A Declaration of the Independence of Cyberspace (Davos, Switzerland: 1996): https://www.eff.org/cyberspace-independence

[2] Hugo Grotius, De iure belli ac pacis libri tres, Paris: Buon, 1625, II.1.2.1.

[3] Note that it is a bias for his country: In the Mare Clausum (Selden) published in 1635, it was to affirm the memory of the English seas constituting in this work a response to Mare Liberum Grotius published in 1609. He affirmed the general principle of freedom of the seas and of fishing against the Portuguese claims to the exclusive possession of the sea
Hugo Grotius, The Freedom of the Sea, transl. Ralph Van Deman Magoffin, Oxford University Press, 1960.

[4] M. Hildebrandt, Extraterritorial jurisdiction to enforce in cyberspace, Bodin, Grotius and Schmidt in cyberspace, University of Toronto Law Journal, 2013, p. 63.

[5] Katherine J Strandburg et al., ‘Law and the Science of Networks: An Overview and an Application to the “Patent Explosion”’ (2006) 21 Berkeley Tech LJ 1294; David R Johnson & David B Post, ‘Law and Borders: The Rise of Law in Cyberspace’ (1996) 48 Stan L Rev 1367

[6] M. Hildebrandt, op. cit. ; Julie E Cohen, ‘Cyberspace as/and Space’ (2007) 107 Colum L Rev 210 at 213

[7] Jack Goldsmith, ‘The Internet and the Legitimacy of Remote Cross-Border Searches’ (2001) U Chicago Legal F 103

[8] Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, para.3, p.6. Available at: http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174.

[9] How to Protect Your Networks from Ransomware, U.S. Government interagency technical document. Available at: https://www.justice.gov/criminal-ccips/file/872771/download.

[10] “Black hat hackers” are motivated by either money or destruction. On the opposite, “white hat hackers” (also ethical hackers) aim to prevent failure of systems by revealing it and, sometimes, offering solutions.

[11] https://eeas.europa.eu/headquarters/headquarters-homepage/415/eu-international-cyberspace-policy_en

[12] https://ec.europa.eu/commission/sites/beta-political/files/building-strong-cybersecurity-factsheet-tallinn_en.pdf.

[13] Regulation on ENISA, the « EU Cybersecurity Agency », and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification ( »Cybersecurity Act ») 2017/0225(COD). Available at: http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1505737096808&uri=CELEX:52017PC0477.

[14] Article 1(1) of ENISA Regulation (EU) No 526/2013.

[15] Proposal for Directive of the European Parliament and of the Council on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2017%3A489%3AFIN.

[16] ETS 185 – Convention on Cybercrime, 23.XI.2001. Available at: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf.

[17] Commission recommendation of 13.9.2017 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises. Available at: https://ec.europa.eu/transparency/regdoc/rep/3/2017/EN/C-2017-6100-F1-EN-MAIN-PART-1.PDF.

[18] Draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (« Cyber Diplomacy Toolbox »). Available at: http://data.consilium.europa.eu/doc/document/ST-9916-2017-INIT/en/pdf.

[19] https://www.nato.int/cps/ic/natohq/opinions_145415.htm.

 

For further information

About black hat hackers and white hat hacker – Porterfield Jason, White and Black Hat Hackers, Rosen Publishing Group, 2017, 64p.

About EU-NATO cooperation – NATO Parliamentary Assembly, Defence and Security Committee, NATO-EU Cooperation after Warsaw, Report, 2017. Available at: https://www.nato-pa.int/download-file?filename=sites/default/files/2017-11/2017%20-%20163%20DSCTC%2017%20E%20rev%201%20fin%20-%20EU%20AND%20NATO%20COOPERATION%20-%20MESTERHAZY%20REPORT.pdf

About OSCE’s non-military CBMsOSCE Guide on Non-military Confidence-Building Measures. Available at: https://www.osce.org/secretariat/91082?download=true

About National Cybersecurity organisation in Spain – Alexander Cendoya, National Cyber Security Organisation: Spain, CCDCOE, Tallinn, 2016, 22p. Available at: https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_SPAIN_092016.pdf

About National Cyber Security Organisation in France – Pascal Brangetto, National Cyber Security Organisation: France, CCDCOE, Tallinn, 2016, 18p. Available at: https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_FRANCE_032015_0.pdf

About National Cybersecurity organisation in Hungary – László Kovács & Gergely Szentgáli, National Cybersecurity Organisation: Hungary, CCDCOE, Tallinn, 2016, 14p. Available at: https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_HUNGARY_2015-10-12.pdf