Information and communication technology (ICT) plays an unprecedented role in today’s world, but cyberspace is clearly lacking in security mechanisms that can guarantee stable and sustained world development. Insufficient information security is a barrier to investment in high-tech sectors. Digital technology with its artificial intelligence (AI), cloud computing, big data, the internet of things (IoT), electronic medicine, and electronic finance is a hostage to the absence of internationally accepted rules of behavior in cyberspace.
All countries without exception are increasingly vulnerable to cyber threats. The international community needs to join forces to build a reliable information security system, but instead individual states pursue policies that make cyberspace even less secure.
The United States is undoubtedly a global ICT leader. However, over the past few years it has increasingly demonstrated an open desire to use ICT for military purposes. It has been developing military ICTs and intensively militarizing cyberspace, thereby unleashing a cyber arms race. There is ample evidence of this.
It was the United States that developed the Stuxnet computer worm, and the American use of it against Iran in 2011 was, as it were, a cyber Hiroshima and an alarm signal to the entire international community because that cyberattack might have had irreversible consequences for Iran, and for its region as a whole for that matter. That attack was effectively the first instance in history of a state using a cyber weapon against another state. Thereby, the United States threw Iran’s civilian nuclear program several years back.
In 2009, the Pentagon set up a body to direct cyberspace operations, the United States Cyber Command (USCYBERCOM), and put it in full-scale service the next year. Cyber Command is authorized to conduct both defensive and offensive operations. Its decisions are to be based on reports from the National Security Agency (NSA).
In August 2017, US President ordered Cyber Command to be elevated to the status of an independent unified combatant command. The order, which was implemented in May 2018, put Cyber Command on a par with the nine other unified combatant commands. Cyber Command is currently hiring hundreds of cyber operators to help carry out defensive and offensive cyber operations. The command is planned to eventually comprise nearly 6,200 personnel organized into 133 teams. According to media reports, these teams are due to achieve full operational capability by the end of 2018.
Lieutenant General Paul Nakasone, head of NSA and Cyber Command, has called for a more aggressive approach to opponents in cyberspace. For this reason, in March 2018 a road map was drawn up for Cyber Command that was entitled Achieve and Maintain Cyberspace Superiority. The new strategy requires that the U.S. military carry out practically daily raids on foreign networks and disable suspicious servers before they launch malicious software. The Pentagon is, besides, developing an advanced cyber weapon system to be called United Platform. Hardly any details about it have been disclosed but the facility is known to be planned as the basis for the defense of U.S. government agencies against hacker attacks and for offensive online operations.
The new cyber strategy is expected to force “strategic costs on our adversaries, compelling them to shift resources to defense and reduce [online] attacks.” But, in order to avoid any of its moves being qualified as an act of military aggression against another country, Cyber Command would not cross the line into actual warfare. Cyber Command’s initiatives are reflected in the 2018 National Defense Strategy, the year’s chief military doctrinal document of the United States.
The New York Times has cited current and former U.S. officials as warning that U.S. attacks against foreign networks may provoke “retaliatory strikes against American banks, dams, financial markets or communications networks.” Moreover, Cyber Command admits that its strategy poses diplomatic risks because, according to what it calls “new vision” of Cyber Command, it is by no means terrorists, hackers or common criminals that are the United States’ main adversaries but states – China, Russia, Iran and others.
Another aspect of the United States’ new cyber policy is legislation. At the National Cybersecurity Summit in New York on July 31, 2018, which was hosted by the Department of Homeland Security (DHS), U.S. Vice President Mike Pence called on the U.S. Senate to enact legislation to create a specialized DHS body11. In order to fund the new body that should act as a centralized hub and encompass resources of the US national government, Mike Pence asked Congress for a record $15 billion.
The United States is going out of its way to monopolize cyberspace. It is an increasingly intensive enterprise, and what makes it particularly dangerous are Trump’s initiatives to do away with the traditional system of White House control of U.S. offensive and defensive cyber activities while a system that is going to replace it is still essentially in embryo.
The Wall Street Journal said that, on August 16, 2018, Trump with a stroke of the pen scrapped Presidential Policy Directive 20, which had been issued by former president Barack Obama and laid down rules on the use of cyber weapons against adversaries of the United States. According to the Wall Street Journal, Trump’s move aimed to lift restrictions on the offensive use of cyber weapons against foreign states because of alleged fears that some supposed hackers were plotting to meddle in U.S. congressional elections in November 2018.14
Hence, the United States is replacing the Obama-era cyber strategy of defense and deterrence with a strategy authorizing aggressive offensive action up to pre-emptive cyberattacks against sovereign countries.
Besides, the United States has for several decades been conducting global espionage via the Echelon electronic system that was based on a 1947 agreement between the United States and four allies. Today’s sophisticated ICTs enrich the resources of U.S. intelligence services. One good example is the Program for Robotics, Intelligent Sensing and Mechatronics (PRISM), which has been running since 2007 and is a facility for the mass-scale secret collection of digital data without judicial approval. In 2013, former CIA employee Edward Snowden publicized documentary evidence that PRISM gave American intelligence services access to the central servers of nine key Internet companies – Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, AOL, Skype, and Apple. This implies that the intelligence services are building a global database of audio and video files, photographs, emails, and personal data of social network users. Moreover, according to Snowden’s revelations, NSA tapped the telephone conversations of 35 world leaders and some foreign diplomats, also via PRISM. Experts claim that U.S. intelligence services, in collaboration with Britain’s Government Communications Headquarters (GCHQ), have been cracking practically all Internet cryptography standards by using supercomputers and the services of savvy hackers.
The United States’ cyber weapons buildups and global cyber espionage threaten world security. The United States may accuse any country of a hacker attack without any substantial evidence and launch an aggression, even armed action, against it with the assistance of its allies. The range of actions prescribed by the 2015 version of the U.S. Defense Department’s cyber strategy includes armed retaliation for cyberattacks. Recently, Western politicians, mainly the U.S. administration, have been showering Russia with accusations of cyber transgressions of all kinds. In tune with the established practice, no sustainable evidence has been provided of alleged Russian subversive cyber activities. Because of the fanning of the Russian hacking myth and fake news, it largely goes unnoticed that Russia itself has been a victim to large-scale cyberattacks – in 2017, for example, its critical state infrastructure came under more than 70 million attacks.
Nearly 20 years ago, Russia became the first country to sound the alarm at the United Nations about threats that were germinating in cyberspace. Moscow put forward a breakthrough initiative for a guarantee of international information security – a draft UN General Assembly resolution entitled Developments in the field of information and telecommunications in the context of international security. Since 1998, draft resolutions with the same title have been included in General Assembly session agendas every year. In 2017, to ensure the continuity of information security debates in the United Nations, Russia and more than 60 other countries proposed that the General Assembly put the cybersecurity issue on the agenda for its 73rd session. The proposal received unanimous approval.
Russia also initiated the creation of a UN negotiation mechanism on international information security – the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). The GGE has reached agreement on many key points such as sources of cyber threats, the imperative of taking action against cyber terrorism and cybercrime, and the principle that international law applies to cyberspace. The GGE unanimously approved three detailed reports that recommended rules on the responsible behavior of states in cyberspace. In 2015, the member states of the Shanghai Cooperation Organization (SCO) put before the United Nations a proposed draft document that aimed to prevent conflicts in cyberspace and was entitled International Code of Conduct for Information Security.
The Russian position amounts to the principle that no military or political conflicts in cyberspace are acceptable and that therefore any policy that doctrine declaring the use of force in cyberspace a fair method must be rejected.
Russia stands for a digital world order that is based on equality and justice and guarantees the possibility of advancing national interests to all countries regardless of their level of technological development. State sovereignty, non-use of force, the non-interference of a country in the internal affairs of another country, the observance of the fundamental rights and freedoms of the individual, and the equal rights of all states in governing the Internet must be key principles.
The international community needs to develop universal rules on responsible behavior in cyberspace, rules that would be approved by all states. This is a fundamental condition for peace in cyberspace. Russia as the initiator of UN debates on international information security urges all countries to start full-scale work on such rules. Moscow plans to submit a draft resolution containing a basic set of rules to the General Assembly’s First Committee during the Assembly’s 73rd session this year. The planned resolution would include all of the GGE’s recommendations of 2010, 2013 and 2015. It would propose 25 rules, including –
– purely peaceful use of ICT;
– international action to prevent conflicts in cyberspace;
– observance of the principles enshrined in the UN Charter, including the sovereign equality of states, refraining from the threat or use of force, and the non-interference of states in the internal affairs of other states;
– avoidance of groundless accusations of malicious use of ICT and provision of evidence to support any accusation;
– non-use of ICT by states for interfering in the internal affairs of other states;
– non-use of mediators for cyberattacks;
– measures to prevent the spread of malicious ICT instruments and harmful hidden functions.
Russia proposes that these 25 rules should be a basic set of guidelines that might be adjusted and enlarged afterward. This process could be carried out in 2019 by the renewed UN GGE on IIS, which will ensure continuity of IIS discussion within the UN through already tested format.
Cybercrime has been growing on an unprecedented scale, posing a serious international threat. UN Secretary General António Guterres has said that cybercrime yearly inflicts damages of about $1.5 trillion on the world.
Regional legal mechanisms such as the Council of Europe Convention on Cybercrime (Budapest Convention), which was signed in 2001, cannot defeat this evil, although the West literally tries to force the convention on the entire world, including Russia, as the only possible format for international anti-cybercrime action.
Russia’s position on the Budapest Convention remains unchanged. Moscow has repeatedly pointed out that it cannot accept Article 32b of the convention, which, allegedly in the interests of criminal investigations, effectively allows a state to access information stored on any computer on the territory of another state without seeking the latter’s permission for this and even without notifying that state.
Russia believes that it is imperative to develop a new, universal instrument for combating cybercrime. This idea is enshrined in the declaration of the BRICS summit of July 2018. Russia plans to initiate a full-scale debate on this matter in the UN General Assembly’s Third Committee by submitting a draft resolution “Countering the use of ICTs for the criminal purposes” to that effect.
A draft universal convention on cooperation in combating cybercrime that was submitted by Russia to the United Nations was accepted by the General Assembly as one of its documents on December 28, 2017 and was meant to act as “food-for-thought”. It becomes clear that a start for the relevant wide political discussion within the UN General Assembly in New York is needed.
Absolutely all states are obviously in the same boat as regards cybercrime. Some of them are safer against it than others but all are vulnerable to it, and the United States with all its numerous cybersecurity services is no exception either. In a world harassed by cyber gangs, international community should jointly deal with real and not fake threats and criminals.
There is an alternative to the cyber arms race – a cyberspace peace plan proposed by Russia and other countries standing for strengthening peace and security in information space. Future reactions in the United Nations to Russia’s information security initiatives will make clear who really wants peace in cyberspace and who uses manipulation and fake concerns as a screen for plans to unleash a cyberwar. Maintenance of peace in cyberspace is the responsibility of each sovereign member of the international community.
First published in our partner International Affairs