Offensive cyber operations endanger us all

There is increasing debate and concern over the actions of states and non-state actors alike in the cyber domain.  Annegret Bendiek and Ben Wagner, associates of the German Institute for International and Security Affairs (SWP), outline key challenges and the dubious utility of offensive cyber operations in their article Making states responsible for their activities in cyberspace.

Ensuring the stability and integrity of the internet is a crucial goal for policy makers. In the words of the GGE [UN Group of Governmental Experts], it is a “key question for international peace and security.” – Annegret Bendiek and Ben Wagner

The two main methods of combatting cyber-security threats are:

  • “deterrence by resilience” — strengthening defenses and cyber infrastructure to ward off attacks; and
  • “deterrence by retaliation” — offensive responses to cyber-attacks.

While enhanced defensive measures can be highly beneficial, “deterrence by retaliation” can be challenged on many fronts, including effectiveness, legality and political legitimacy as well as the potential for serious “blowback”.

Many leading scholars have warned that the build-up of offensive capabilities only repeats the mistakes of the past. It fosters mistrust, leads to a new arms race and might even lead to the internet’s disintegration as states increasingly assert their sovereignty. – Bendiek and Wagner

As highlighted in an earlier Ceasefire.ca blog post, Canada’s new defence policy asserts Canada’s intention to go beyond much-needed enhancements of cyber defences to the “conduct of active active cyber operations against potential adversaries in the context of government-authorized military missions.”

But this new DND cyber mandate pales in comparison to the “vast mandate” outlined in Bill C-59 for the highly secretive Communications Security Establishment to carry out activities:

to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security. – Section 20 of the proposed Communications Security Establishment Act (CSE Act)

Such extraordinarily permissive language gives CSE the power not only to undermine fundamental rights and freedoms of Canadian citizens but also to contravene Canada’s international legal obligations.

Using the cyber domain as a battlefield is riddled with perils, with grave potential to undermine the reliability of the internet and the crucial infrastructure that it supports. Clearly our main objective now has to be

to encourage the development of an international order in which there are formidable restraints on the use of cyber force. – Lawrence Freedman

For the full article by Bendiek and Wagner, see: Making states responsible for their activities in cyberspace (The Security Times, February 2017).

Photo credit: NATO website

Tags: Bill C-59, Craig Forcese, CSE, cyber defences, cyber domain, cyber warfare, cyberspace, international law, international norms, NATO, Strong Secure Engaged, UN GGE, UN Group of Governmental Experts