When Cyberspace Becomes a Cyber Battleground
Adjunct professor at Simon Fraser University, senior fellow at The Simons Foundation, senior advisor to ICT4Peace
So-called “transparency” measures have long featured in international security discourse as a means of promoting confidence amongst states through publishing details of policies and capabilities. In what might be considered the greatest, unintended “transparency” measure of recent times, a top secret U.S. “Presidential Decision Directive (PDD)” on cyber operations was published in the Guardian newspaper.
The 18-page document of PDD 20, which was issued to the national security establishment last October, sets out in great detail the procedures to govern American cyber action abroad. Specifically it envisages cyber collection (i.e. espionage) and “cyber effects operations”. This latter category encompasses a variety of detrimental action against foreign computers, information, and cyber infrastructure, ranging up to their actual destruction. The category is further divided into defensive and offensive cyber effects operations as a function of whether the action is taken to counter an “imminent threat” or “malicious cyber activity” in the defensive mode, or to pursue other national interests in the offensive mode. Whether this distinction will be meaningful to those operating the computer systems targeted is not considered in the PDD, and relevant issues such as who will make these determinations and on what basis are also not spelled out.
If such provisions for damaging cyber operations abroad are disconcerting for those wishing to preserve cyberspace for peaceful purposes, the upper rungs of the cyber ladder of escalation are truly alarming. Cyber effects operations that will result in what the PDD euphemistically terms “significant consequences” allow for actions causing “loss of life” and “significant damage to property”, although this level of operation would require presidential approval.
Although the PDD states that these external cyber effects operations will be carried out by the U.S. in a manner “consistent with its obligations under international law”, there seems scant consideration to the implications of these operations for the international security landscape. It is true that as part of the decision criteria specified for the approval of operations, certain internationally-relevant “risk” factors are mentioned, such as the establishment of “unwelcome norms of international behavior” and “the impact on the security and stability of the Internet”, but there is no indication of what weight these factors would have in relation to others. The PDD, in a top-secret paragraph, calls for the identification of potential targets of national importance “where offensive cyber effects operations can offer a favorable balance of effectiveness and risk, as compared with other instruments of national power” and directs that relevant offensive cyber effects capabilities against these targets be “established and maintained”.
Essentially absent from this comprehensive guidance on the employment of damaging cyber operations in other countries is a diplomatic dimension. The only reference is a passing mention of the secretary of state who is to continue efforts “to establish an international consensus around norms of behavior in cyberspace”. It is likely that the revelation of these procedures for engaging in damaging cyber operations coupled with the growing offensive cyber capabilities being heralded by the U.S. military will overshadow the limited calls made earlier by Washington for developing “norms of responsible state behavior” within the international system.
Other states are likely to take their lead from U.S. policy and action in this new field of international security. If the trend will be towards creating offensive cyber capabilities and “weaponizing” cyberspace, other states will follow suit and an opportunity to preserve cyberspace as a domain for international cooperation rather than conflict may be lost. Civil society as the primary stakeholder in cyberspace cannot afford to be indifferent to which course of action is followed.
One can only hope that a consequence of the unintended revelation of America’s policy on waging cyber warfare abroad will be renewed efforts to forestall these contingencies through the negotiation by states of some cooperative security measures.