Developing Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of ICT

Developing Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the
Use of Information and Communication Technologies: Lessons Learned from the OSCE

It is a pleasure to be here surrounded by so much expertise and familiar faces. I would like to thank the organisers for inviting me here – I think this is already my fourth visit to your event and every time I have found it both useful and enjoyable.

Before I begin, let me stress that I work for the Secretariat of an Organization that comprises 57 States – what this means is that, in effect, I have 57 bosses, in addition to my Director. You can imagine that whenever you have such a large group of States sitting around one table, it is almost inevitable that many different positions and preferences on any topic exist – and cyber/ICT security is no exception. As such, since I was invited not as in independent cyber/ICT security expert but, rather, as an OSCE representative, I will not be taking sides and will remain strictly neutral – which I am sure you will understand.

I will, nevertheless, try to share with you some lessons learned at the OSCE, in the hope that they might be beneficial for the issues this session is aiming to discuss, namely “Internet: space of freedom or new battlefield”.

Clearly it is and will, likely for the foreseeable future, be both. Like so many other inventions, the Internet is what users make of it.

Much like fertiliser, for example. Do I use it for agriculture to grow crops or do I use it to make bombs? – to give only one, albeit simplified, example.

The Internet is neither inherently good nor evil, it just is. Users determine what it is used for. Of course, with an infrastructure that is home to so many users it is inevitable that a variety of purposes will exist and, at times, this means that interests will collide and clash. This is true on the very small, individual Internet user level – e.g. when two persons want to register the same domain name. But, and this is the part that interests me, it is also true on the very big level, i.e. the interaction of States. The problem is that whenever the interests of States clash there is always the potential for misunderstandings and escalation.

With regard to cyber/ICT attacks States are, clearly, the actors with the most resources at their command and with the highest levels of capability. An additional concern are so-called “proxies” i.e. perpetrators that could, potentially, act on behalf of or with the – actual or implied – consent of a State.

As you know, States are becoming more and more vocal about the possibility that attacks on or via cyberspace could, if they were deemed severe enough, be met with a real-world – a kinetic – response. It is no secret, for example, that the thresholds for when a cyber/ICT attack could trigger the relevant articles in international agreements related to a kinetic response are being explored (e.g. Article 5 of the Washington Treaty or Article 51 of the UN Charter). While this process is still ongoing, it clearly illustrates the importance that States attach to the potential of threat escalation.

One method to counter this development is to build confidence among States. This is where confidence-building measures (CBMs) come into play and it is one of the reasons they are so important. In my view, CBMs should work towards preventing an attack on or via cyberspace to escalate into a real-world, kinetic attack. They should work towards minimising uncertainty among States. Frankly, I believe this to be crucial work because in the long run, uncertainty among States, frequently leads to negative outcomes.

With this in mind, as most of you will know, the OSCE participating States (pS) spent last year negotiating an initial set of confidence-building measures to reduce the risks of conflict stemming from the use of information and communication technologies.

This in itself was a success. I remember sitting here, at this event, last year with somewhat empty hands because the participating States could not agree on language to create an Informal Working Group (IWG) to develop the aforementioned CBMs – incidentally, that decision was adopted just afterwards i.e. on 26th April 2012.

Throughout 2012 negotiations among participating States continued with the aim of adopting an initial list of CBMs at the 2012 OSCE Ministerial Council (MC).

Allow me to give you some additional information in this regard: The CBMs under consideration focused on a very modest set of transparency measures which would have allow for exchanges of information and communication on several levels.

Use of these CBMs would have been voluntary and the pertinent Decision politically binding rather than legally binding. Each participating State could e.g. have determined which information they would have wanted to share and to what an extent they would have wanted to use the relevant communication channels.

The initial list of CBMs was intended to be updated in the future. Therefore, measures that would not have been included in the first set could have subsequently been considered in discussions of the second, third etc. set.

It is in the nature of CBMs that by agreeing to them no State wins at the cost of another. Certainly, in my opinion, all States would have benefited from the modest set that was under consideration.

On the whole, these CBMs would have been an initial show of goodwill in light of worsening cyber/ICT security relations among States (e.g. on issues such as Internet governance, or cybercrime).

Frankly, I would have loved to sit here today and tell you how at the OSCE Ministerial Council in Dublin this past December the participating States reached consensus on this initial set.

I would have loved to showcase the good work done by the aforementioned, specifically created, IWG established by Permanent Council Decision 1039 – complete with anecdotes on a few particularly tough negotiations, sticking points and other issues that were resolved, ideally at the very last minute. I would then have outlined how we had already moved into the implementation phase of said initial set of CBMs while at the same time exploring possibilities of how to expand and update them in the future.

Alas, it was not meant to be: Even though they were close in Dublin, consensus, unfortunately, did not reward all the good work that participating States and their thematic experts – a few of which are in the room today – put into IWG meetings last year.

Negotiations, therefore, continue.

However, rather than dwell on the past I would like to build on and learn from it and look into the future.

In my view, there are two key lessons: (1) The first has been to incorporate all additional CBM proposals that were officially submitted to the IWG Chair into an updated draft set of CBMs. (2) The second has been to schedule significantly longer capital-level meetings so as to provide capital experts with the framework for in- depth discussion which – if you allow me a personal comment – will certainly be necessary as the latest draft incorporates a number of controversial issues; or at least issues on which significant disagreement exists among States.

The Secretariat has been tasked with supporting the work of the pertinent IWG. It is, therefore, not for me to comment on the speed of proceedings.

Allow me, nonetheless, to share with you the following observation. It appears that discussions on CBMs proceeded in the “right” direction, that is, positions were moving closer together, until about October of last year.

Since then positions appear to have moved further apart and the latest version of the draft set of CBMs – with the added proposals and counterproposals – is an illustration thereof.

This development mirrors those in a number of international fora where a variety of other cyber/ICT security related issues are being discussed and where, throughout 2012, positions among States have moved further apart and continue to do so.

The difference between the CBMs pursued at the OSCE and discussions in other international fora, however, is that CBMs are exactly the type of measures that need to be in place to avoid potential misunderstanding and escalation when relations among States in other venues worsen. Think of them as pressure valves. As pressure grows you need valves to safely release it. And, importantly, as any mechanical engineer would tell you, these pressure valves need to be put in place before a crisis situation arises.

As such, it remains my belief that it is in the interest of all participating States to elaborate this first set of CBMs on its own merit, bearing in mind that it represents a beginning and not the end of negotiations. Clearly, they are intended to be updated and expanded in the future. As I have said before, at their core, these CBMs are an initial show of good-will in the face of worsening cyber/ICT security relations among States.

The further apart positions among States are, the bigger the need for CBMs – even though it is also more difficult to reach consensus on them.

It is, therefore, my hope that when capital experts gather in Vienna for this year’s first capital-level IWG meeting – hopefully sooner rather than later – they will do so with the above in mind and with the necessary urgency as well as the will to reach agreement on an initial set of CBMs as soon as feasible.

With this in mind allow me to close with this: Not long ago, I had a lunch with several senior diplomats who wanted to exchange thoughts on cyber/ICT security. One of them, as we were eating dessert, shared his experience on negotiating arms treaties many years ago and stressed how long these discussions had lasted. Against this experience, he said, there was no reason to be discouraged with regard to cyber/ICT security related CBMs, since States have only been working on them for a comparatively short period of time.

I appreciate that, in terms of multilateral diplomacy, two years is not a long time. Nonetheless, it is my belief that time – in general – is the one resource we do not have – and certainly not in the current circumstances. Not least because disagreements among States keep growing with regard to a number of key issues related to cyber/ICT security. As a result, time is not on our side when it comes to putting in place mechanisms aimed at preventing misunderstandings and escalation of a cyber/ICT attack, potentially even into a real-world, kinetic attack. CBMs are such a mechanism.

Time is not on our side. The situation States find themselves in today is different from 2012. I would argue that it is, actually, quite a bit worse because the tone of discussion has become more tense and positions relevant to some aspects of the thematic area have moved further apart and continue to do so.

In my opinion, this simply cannot be in the interest of any OSCE participating State!

It is my hope that recognition of the benefits of moving closer together again will prevail in the long run and the OSCE Secretariat will continue to do whatever it can to support this very worthwhile process.

In any case, whether States move closer together again or not will, ultimately, determine whether in the future we think of the Internet as primarily a space of freedom or a battlefield.

Nemanja Malisevic
Cyber Security Officer OSCE Secretariat
Transnational Threats Department

This article is based on a presentation delivered at the 7th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 22-25 April 2013 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.