IGF 2020 WS #346 A Recipe for Deterrence in Cyberspace

Information

Session

Time:

Tuesday, 17 November, 2020 - 10:10 to 11:40 UTC

Room:

Room 3

About this Session:

Area:

Trust

Topic(s):

Cyberattacks
diplomacy
Norms

Organizer 1: John Hering, Microsoft
Organizer 2: Jamal Edwards, Microsoft

Speaker 1: Douzet Douzet, Civil Society, Western European and Others Group (WEOG)
Speaker 2: Joanna Świątkowska, Private Sector, Eastern European Group
Speaker 3: Katherine Fox, Government, Western European and Others Group (WEOG)
Speaker 4: Elonnai Hickok, Civil Society, Asia-Pacific Group
Speaker 5: Chris Inglis, Private Sector, Western European and Others Group (WEOG)

Additional Speakers:

Katherine Fox, from the UK's Foreign and Commonwealth Office will be replacing Kathryn Jones, from the same office.

Chris Inglis, of the US Cyberspace Solarium Commission, will be added as a speaker.

Moderator:

John Hering, Private Sector, Western European and Others Group (WEOG)

Online Moderator:

Kaja Ciglic, Private Sector, Eastern European Group

Rapporteur:

John Hering, Private Sector, Western European and Others Group (WEOG)

Format:

Break-out Group Discussions - Flexible Seating - 90 Min

Policy Question(s):

Cybersecurity policy, standards and norms

i) What kind of coalition will be necessary to establish meaningful deterrence in cyberspace?

ii) What types of response options will deter malicious behavior online, and who should be held responsible for such activity in order to deter it (states, organizations, individuals)?

iii) How will deterrence policies and approaches online need to differ from state to state?

Issues, Challenges and Opportunities addressed:

Amidst escalating geopolitical tensions and government investment in offensive military capabilities in cyberspace, as well as the use of such capabilities by third parties and criminal actors, nations are exploring how to establish a meaningful deterrent against malicious behavior online. However, unlike other domains of conflict, it can be difficult to determine responsibility for cyberattacks or to know what appropriate responses might be when the same attack or response may have varying impacts in different contexts and when states have such radically different ICT infrastructure. Central to this discussion will be questions about what constitutes an appropriate deterrent response in cyberspace – including possible kinetic actions – whether deterrent responses should be targeted against responsible governments, organizations or individuals, and what types of coalitions and structures are needed for countries to establish an effective deterrence posture in cyberspace. Despite the challenges, effective deterrence remains an essential ingredient in promoting stability online and discouraging the continued escalation of sophisticated attacks, requiring cooperation and coordination across stakeholder groups.

SDGs:

GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals

Description:

This session will provide a discussion of the central challenges and opportunities related to states establishing policies and regimes to deter malicious activity in cyberspace. The potential of such deterrence postures relies in large part on cooperation with industry and civil society groups, as well as other governments, to establish credible attributions as well as meaningful response options sufficient to discourage bad actors. Discussion will build on recent developments and scholarship on the topic, including the establishment of the European Union’s cyber deterrence regime and the Joint Statement on Advancing Responsible State Behavior in Cyberspace that was signed by 27 governments this past autumn. Speakers will include representatives from government and international organizations leading these efforts, as well as academics and members of think tanks evaluating what could make such efforts successful.

Attendees are also encouraged to join the corollary IGF Workshop #350 on Attributing cyberattacks, also to be held on the 17^th.

Speakers:

John Hering, Microsoft (Moderator)
Frederick Douzet, French Institute of Geopolitics
Elonnai Hickok, Carnegie Endowment for International Peace
Katherine Fox, Foreign and Commonwealth Office, United Kingdom
Chris Inglis, US Cyberspace Solarium Commission

Format:

Given the virtual setting, the 90-minute panel will be split roughly evenly into two sections, with the first 45 minutes dedicated to a moderated panel discussion, and the second 45 minutes being open to questions from those in attendance. Those in attendance are encouraged to come prepared with questions.

Expected Outcomes:

Participants will walk away with a foundational understanding of the essential policy questions and challenges for establishing deterrence in cyberspace, as well as what kind of cooperative structures will help make such efforts more effective. Participants, including speakers, who are working in this issue space directly will benefit from the diversity of global perspectives in the room that will help address specifically who should be included in establishing deterrence policies and who should be held responsible for malicious behavior online under such policies.

Relevance to Internet Governance: Recent years have seen a dramatic spike in sophisticated attacks in cyberspace. Bringing stability to the online world, and turning the tide against this trend, will require shifting the balance of costs and benefits currently driving such attacks so that malicious actors are deterred from pursuing them. From coordination to attribution, and imposing sanctions and other response options, credible deterrence will require cooperation and support from many different stakeholder groups and clarity about expectations and responsibilities for all parties involved.

Relevance to Theme: Trust in the online world is inherently linked to the confidence among citizens everywhere that malicious activity, and especially the most sophisticated and significant attacks, are effectively discouraged and that when such activity occurs, those responsible can and will be held to account. Successfully deterring such activity is a complicated challenge with important implications and roles for all stakeholder groups in order to promote the security and stability of the online world.

Discussion Facilitation:

Organizers will leverage the multiple avenues the IGF makes available to socialize this interactive session to include a wide audience of interested stakeholders, highlighting central questions and relevant policies to prospective attendees to set up a rich discussion in advance. Participants will also be encouraged to attend the session on attribution as well (if accepted), to add additional depth to the discussion in this session on deterrence. The majority of the time in the session will be set aside for small group discussion of central questions, as well for attendee questions for speakers.

Online Participation:

Usage of IGF Official Tool.

Agenda:

Report

1. Key Policy Questions and related issues:

What is the potential for deterrence in cyberspace?

What are existing models/approaches to deterrence in cyberspace?

How might other stakeholder groups be involved in supporting deterrence?

2. Summary of Issues Discussed:

Speakers all recognized a common understanding of “deterrence” that refers to dissuading adversaries and bad actors from taking certain actions. As cyberspace has gained prominence as a domain of conflict in recent years, there is clear need to apply this same thinking to the digital domain in order to discourage attacks and encourage responsible behavior. Different approaches to deterrence that were highlighted included deterrence by punishment, deterrence by denial, and deterrence via benefits for responsible behavior.

Speakers also all recognized that underscoring any effective deterrence model needs to be a clear set of normative expectations, making ongoing international efforts to establish such expectations in cyberspace especially important – including the dialogues at the United Nations, as well as multistakeholder agreements like the Paris Call for Trust and Security in Cyberspace. The ability to credibly attribute cyberattacks was also cited as a prerequisite for effective deterrence. In addition, especially when it comes to issues of deterrence by denial – or making attacks themselves more difficult to conduct – industry, particularly the technology industry, has an important role to play in ensuring they are developing and maintaining secure products and services to reduce the overall threat surface.

While there was consensus around the need for deterrence approaches that reward responsible behaviors and improve defensive security, there was some division among speakers, as well as those attending the session, about the benefits of deterrence by punishment. Examples included sanctions against individual actors, as well as a range of credible threats of offensive actions to be taken online and off in response to discourage violations. Some worried that this model could drive an arms race and proliferation of capabilities, while others emphasized that rules do need to enforced to dissuade malicious actors.

3. Key Takeaways:

The escalation of conflict in cyberspace in recent years is untenable and threatens to undermine security as it becomes more prevalent. Addressing this trend requires new thinking around the traditional tools of statecraft to make them applicable in a domain that is shared simultaneously by all stakeholder groups. This includes in the application of deterrence theory in cyberspace.
Deterrence in cyberspace, like all domains, seeks to dissuade malicious actions by making it more difficult or more costly for actors to pursue them. This means hardening security to make cyberattacks more challenging to conduct, recognizing and rewarding responsible behavior, and imposing meaningful consequences in response to cyberattacks.
Unlike earlier deterrence models, including the Mutually Assured Destruction of nuclear security, the number of actors and the proliferation of capabilities in cyberspace requires a much more dynamic approach that includes a wider range of response options and rewards for responsible behaviors.
Successful deterrence requires clear international norms and expectations. Governments should therefore be more engaged in establishing, strengthening and reinforcing rules of the road in cyberspace across different forums which include multistakeholder perspectives.
Deterrence by denial in cyberspace necessitates improved security across the board, especially for critical infrastructure, and therefore a whole-of-society approach to cybersecurity. This requires close coordination with the technology industry to make sure products are being developed and maintained securely and can be further supported by governments adopting and sharing their policies on vulnerability handling.

4. Policy Recommendations or Suggestions for the Way Forward:

What policy sector(s) does this fall under? (leave blank if not sure):

Overarching governance issues

Issue and Recommendation:

Deterrence requires clear international rules and norms to be established and reinforced in cyberspace.

Who should take it?:

Governments should lead the way in international forums, like the UN, in agreeing on such norms and rules. The broader multistakeholder community needs to be included in these discussions and norms can continue to be advanced in other multistakeholder forums as well.

What policy sector(s) does this fall under? (leave blank if not sure):

Technical

Issue and Recommendation:

Deterrence by denial will require improved capabilities and therefore capacity building efforts in nations around the world.

Who should take it?:

Governments and the multistakeholder community should work together to invest in capacity building efforts to ensure nations across the digital divide can make successful attacks less likely.

What policy sector(s) does this fall under? (leave blank if not sure):

Economic

Social-cultural

Technical

Issue and Recommendation:

Cooperation between governments and industry to improve the security of digital products and services. This means responsible vulnerability handling and disclosure by the private sector as well as governments to ensure

Who should take it?:

Industry, especially the technology industry, and governments.

5. Other Initiatives Addressing the Session Issues:

Initiative:

Cyberspace Solarium Commission Report (March 2020) - Cybersecurity strategy guidance for the US Government - https://drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view

Initiative:

Joint Statement on Advancing Responsible State Behavior in Cyberspace (Sept. 2019) - US-led joint commitment to uphold international expectations in cyberspace - https://www.state.gov/joint-statement-on-advancing-responsible-state-behavior-in-cyberspace/

Initiative:

Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities - Outlines the European Union's framework for responding to malicious actors in cyberspace, including the imposition of sanctions. - https://www.enisa.europa.eu/events/artificial-intelligence-an-opportunity-for-the-eu-cyber-crisis-management/workshop-presentations/20190603-eeas-eu-cyber-diplomacy-toolbox.pdf

6. Final Speakers:

7. Reflection to Gender Issues:

There was no direct discussion of gender during the session

8. Session Outputs:

Ongoing cyber deterrence efforts:

9. Group Photo:

Main menu

IGF 2020 WS #346 A Recipe for Deterrence in Cyberspace

Information