Daily recap: Building trust and confidence in cyberspace: advancing international law

Here is your recap of the second day of Friends of Europe’s Security Summit

Tuesday 24 November

Building trust and confidence in cyberspace: Advancing international law

04:38 – “Is Europe up to the challenge of adapting security and defence, economic and social wellbeing, and resilience to the demands of the digital age?” asked the moderator Jamie Shea, Senior Fellow at Friends of Europe and former Deputy Assistant Secretary General at NATO. He called “cyberspace and artificial intelligence a wild west, where anything goes but where rules and standards are increasingly defined.”

14:29 – “Guidelines and regulations won’t make killer robots follow the rules of law, nor will they result in ethical killing machines. Nor will they stop the spoofing and hacking of killer robots, the results of which no-one can predict,” said Jody Williams, 1997 Nobel Peace Prize Laureate, for her work to ban the use and deployment of antipersonnel landmines and destroy existing ones.

She argued that guidelines and codes of conduct won’t work for these “unpredictable and exceedingly dangerous weapons”. The makers of these machines – in China, the US, Russia, South Korea, UK and Israel – are blocking decisions to make use of the new international treaty to stop such weapons. The EU must ensure that killer robots never appear on the battlefield and negotiate a treaty to ban them.

27:09 – “If you want proper cyber-defence, you need to invest in human resources, cyber-security technology, IT training and exercises and international relations. When an attack appears, everything should be ready,” said Jüri Luik, Estonian Minister of Defence. Estonia was shocked by the 2007 cyber-attack on its public communications, government agencies, banks and websites, etc. It was the first state-wide attack and the perpetrator was a state. So Estonia created an information systems authority to coordinate its national cyber-security, built cyber-defence into its armed forces, and in 2018 the Estonian Defence Forces launched a cyber command.

According to Luik, “A good cyber-defence must invest in human resources, cyber-security technology, joint training exercises and international relations. So when an attack happens, everything is ready. This is the best defence!” Deterrence is difficult in the cyber domain, but it’s getting harder for attackers to be anonymous. We should name and shame them and use other measures, such as sanctions. There have been few cyber-attacks by militaries, because of the fear of a cyber-war.

Other key comments made by Luik:

• NATO is entitled to raise cyber-attacks on its member states to Article 5 level, because these attacks could lead to massive damage on a country or society.
• Allies must do information exchange and situational awareness, but security concerns hamper trust
• AI will soon give cyberattackers a powerful new tool.

Despina Spanou, Head of Cabinet to European Commissioner Margaritis Schinas, announced the launch of a cybersecurity package on 15 December, together with a revision of the law on critical infrastructure, because “It’s impossible now to divide security systems, information systems and physical security.” The EU is also creating a community for everything related to EU cybersecurity.

33:22 – “Cybersecurity has been on the European Commission’s agenda since July 2020, when we proposed our first strategy setting out a new EU Security Union Strategy for the period 2020 to 2025, including the physical and digital worlds,” said Spanou. She also noted the EU’s unique model law, the NIS Directive (Directive on security of Network and Information Systems). Now being revised, this obliges Member States to have their own national cybersecurity law, emergency response teams, and for operators of critical infrastructure to record cyberattacks. Spanou added that Covid-19 was a test case for the resilience of the EU, which successfully withstood several cyberattacks on hospitals and vaccine R&D lab centres.

Further essential EU action:

• Revision of the Cybersecurity Act, new European Cybersecurity Competence Centre, and stronger cybersecurity agency (ENISA).
• Cybersecurity skills shortage addressed in the new strategy.
• In EU’s toolbox, diplomacy is the first tool applied to cybersecurity, sanctions also possible.
• For private sector: creation of Information Sharing and Analysis Centres (ISACs).
• Citizens can access certification for connected products in the home

48:59 – “Responding to a cyberattack requires real-time coordination globally and a global response at scale,” noted Katie Missouris, CEO and founder of Luta Security. She told the audience that after hacking computers professionally, she started hacking policy and governments and created the first Pentagon programme to embrace hackers.

According to Missouris, it will be hard to meet any of the future cyber challenges or to decide how to protect and defend ourselves, as we and society co-evolve with an dependence on cybersecurity: “So we need to address the cybersecurity workforce shortage and create pathways for cross-training across all industries. “ She also highlighted a tricky cybersecurity conflict: nations know what is possible but also what is desirable for them.

Increasing regulation of international laws for cyberspace

53:58 – “Last decade, there has been legal progress internationally on cyberspace, with broad international support for UN reports (2013 & 2015) on responsible state behaviour in cyberspace,” said Kadri Kaska, Head of the Law Branch of the NATO Cooperative Cyber Defence Centre of Excellence. She noted how the Tallinn Manual identified existing international law that applies to state conduct generally, and thus to states’ interactions in digital space: “This deepened our understanding of existing law and stimulated the states to develop positions . But ultimately it’s the states, not academics, that make laws and they must figure out how to reconcile conflicting interests.”

Kaska said having a new treaty on cyberspace wouldn’t help, due to big questions on laws about implementation. UN states must respect each other’s sovereignty and can’t intervene in each other’s internal matters. So it’s illegal to use destructive force on critical infrastructure and essential services like energy and transport.

“Stability in cybersecurity is essential, because we need reliable IT to maintain our way of life – not least during Covid. Yet states want to retain some freedom of action in cyber, so they are reluctant to spell out clear rules,” she concluded.