"The Weaponization of Cyber Space" – Report from the MSC Cyber Security Summit in Tallinn
How can we defend democracy in the digital age? And how can we ensure that military technology, strategies, and procurement planning stay in sync with the accelerating pace of technological innovation? These were among the pressing questions raised by senior leaders from politics, the business and tech communities, academia, the military, and the intelligence sector at the MSC Cyber Security Summit 2018 on May 28 and 29. It was the sixth Cyber Security Summit the MSC hosted jointly with Deutsche Telekom, with this year's summit also benefitting from cooperation with the Ministry of Foreign Affairs of Estonia and the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).
After summits in Silicon Valley and Tel Aviv, this year's event took place in Tallinn, Estonia – a country whose special role in the cyber field is twofold, as two Munich Young Leaders alumni explained: As a past target of attacks, "Estonia has shown that cyber threats are real," declared Merle Maigre, Director of the NATO CCDCOE; yet today, as Foreign Minister Sven Mikser explained to participants, the country is also "one of the most digitalized nations in the world" and a leader in cyber security and e-governance. With the Tallinn summit in the context of its Cyber Security and Technology Series, the MSC continues to push for a vibrant debate on the challenges of cyber security – and for good reason: By now, cyber security has become an integral part of the international security agenda. Yet, we still struggle to properly prepare for the enormous challenges ahead. And while we do so, new cyber threats and hazards arise. In Tallinn, the discussion of security risks posed by cryptocurrencies and blockchain technology thus complemented that of more "traditional" challenges like credible deterrence in the cyber age.
Defending democracy in the digital age
The question of how digital technologies threaten democratic processes was a dominant theme throughout the different roundtables and panels. Open societies, participants agreed, are not only more vulnerable to information warfare than autocratic regimes. Democracies' commitment to the freedom of speech also deprives them of certain instruments of defense against external interference that autocratic countries like China eagerly exploit – namely disconnecting their countries from the Internet. Especially at the roundtable session on Baltic security issues co-organized with the International Centre for Defense and Security (ICDS) in Tallinn, the information warfare and fake news campaigns waged by Russia were invoked as one of the major cyber threats to democratic societies. Another serious threat, highlighted by General David Petraeus in particular, was the use of social media by extremists for recruitment purposes. Given these challenges that arise in the cyber domain, David Koh, Commissioner of Cyber Security and Chief Executive of Singapore’s Cyber Security Agency, urged countries to put more effort into both technical and societal resilience. His co-panelist in the afternoon panel on "fighting the war after next", Heli Tiirmaa-Klaar, Head of Cyber Policy Coordination at the European External Action Service, highlighted that efforts to defend against information warfare need to respect the freedom of expression. Autocracies, Tiirma-Klaar cautioned, had been trying to restrict freedom of the Internet for the past ten years – but, she argued, "we can have technology and freedom" and should aim to ensure that both remain compatible.
Technical innovation outpacing military planning
A key question participants grappled with was how governments can keep up with innovation in the tech industry that is already outpacing military planning and procurement. Governments have to adhere to stricter standards when adopting new technologies and awarding contracts than private actors. It was suggested that instead of trying to design perfect processes, states should adopt a culture of experimenting and be more comfortable with making mistakes. During a closed roundtable session co-organized with the Cyber Innovation Hub of the German Bundeswehr, the U.S. Defense Department’s Defense Advanced Research Projects Agency (DARPA) was discussed as a model that Europe should aspire to. Other experts argued that instead of focusing on such long-term projects, European governments should prioritize adopting existing technology that is already available in the private sector. Public-private partnerships may be the way to go ahead in this regard. As governments can rarely offer competitive salaries, the Estonian Defence League's Cyber Unit, a voluntary organization aimed at protecting Estonian cyberspace, was mentioned as a positive example of how governments can better draw on expertise in the private sector. Furthermore, participants argued, "white hat" hacking laws should be implemented that allow citizens and companies to identify vulnerabilities and share them with governments without fearing prosecution. Overall, participants agreed, there is a need for much greater public-private cooperation on technology.
Deterrence in an interconnected world
A further question that arose during the conference was whether – and how – deterrence was still possible in a digitalized world. Not only do we see a "weaponization of everything," as General David Petraeus stated, through which it becomes increasingly difficult to define what constitutes an attack – we also face the even greater obstacle of not being able to clearly identify perpetrators and from where an attack originated. In this context, panelists debated where the threshold for a serious act of aggression lies. How should countries retaliate against the spreading of fake news, deliberately aimed at destabilizing democratic states (e.g. during an election campaign as seen in the US in 2016), or against a cyber attack on critical infrastructure with fatal consequences? It was clear to participants, however, that cyber aggression could trigger an Article 5 scenario and serious countermeasures. According to Estonia's defense minister, Jüri Luik, the question whether to treat an attack as a trigger for NATO’s collective defense clause depends solely on the effect of the attack, not on the tools used.
Once an attack is carried out, it may be technically possible to find digital signatures that can be traced back to the perpetrators. Yet in the cyber domain, it is unlikely that one can achieve attribution beyond a doubt. This, many panelists concluded, renders attribution a political act that requires trust among those deciding to respond to an attack – a form of "signaling" to an adversary one's readiness to clearly name and punish an aggressor. During one discussion, the quick and unified Western response to the Skripal poisoning was mentioned as a positive example of such a joint, decisive answer to an attack despite the difficulties of definite attribution. As the former president of Estonia, Toomas Hendrik Ilves, stated: A retaliation does not necessarily have to happen in the cyber realm; it could also take the form of specific measures like travel bans or exclusion from the SWIFT banking system.
The urgent need to further develop global cyber norms
To counter and deter cyber attacks, states need to further strengthen their defenses, both on a national and on an international level, President of Estonia Kersti Kaljulaid concluded on the panel discussion on "Cyber Norms: Beyond the Tallinn Manual 2.0". Internationally accepted cyber norms may certainly help in this regard. Michael Schmitt, Professor of International Law at the University of Exeter, stated that the challenge with global norms for the use of cyber weapons does not lie in their creation – he emphasized that such norms already exist – but rather in their unambiguous interpretation and strict implementation. And even though cyber threats do not stop at national borders and private actors play an important role in this realm, states are still the most important actors when it comes to enforcing and thus strengthening international cyber norms, panelists concluded.
Learn more about the MSC Cyber Security and Technology Series here.