Cyber-space: a battlefield without regulation

Léonie Van Tongeren
International Catalan Institute for Peace
Léonie Van Tongeren

Léonie Van

Some say the next war will be in cyber-space. But what exactly is a cyber-war? Was the 2008 attack against Georgia an act of cyber-war or merely a conventional war with offensive cyber elements? Are viruses like "Stuxnet" and "Flame", which caused malfunctions in nuclear plants in Iran, acts of war? What is the threshold for declaring a cyber-attack an act of war? And to what extent are the current laws of war applicable to cyber-conflict? While States increasingly recognise they are highly unprepared for cyber-threats, debates on the regulatory frameworks to be put in place in order to counter them reflect opposing views on many issues.

Although there is as little agreement on the legal qualification of these phenomena as there is on its terminology, these cyber-security issues constitute one of the most sensitive domains of the wider regulatory field of global Internet governance. They are also deeply entangled with multiple other subdomains, such as the right to Internet access, the right to privacy, and net neutrality. Wider debates on the best regulatory model for the Internet therefore project themselves in the cyber-security field. With many attacks coming from non-State actors and approximately 80% of States' critical national infrastructure in hands of the private sector, cooperation beyond State-level seems the only workable approach. But which ever kind of institutional architecture is chosen, even after establishing international rules the question remains how to ensure those rules are observed.

The lack of international agreement on how to tackle crime and conflict in cyber-space has tangible consequences. It allows criminals to operate with impunity in a low-risk, but highly profitable (with profits surpassing the combined trade in marijuana, cocaine and heroin) and anonymous environment that offers an almost unlimited amount of targets.

This does not mean that the international community has stood completely idle in the face of this growing concern. Several international initiatives, aiming to take up the challenges of regulating cyber-crime and cyber-conflict have indeed emerged in recent years. Some are led by States or international organisations, such as major info-security conferences, others by think-tanks. Interesting examples of such Track-two initiatives are the Cyber-40, a coalition of representatives of the G20 and the next 20most important cyber countries, and the Worldwide Cybersecurity Initiative, both of which have been set up by the EastWest Institute.The Secretary General of the UN's International Telecommunications Union (UIT), Hamadoun Toure, has even called for a cyber peace treaty, stipulating that countries should protect their citizens in the case of a cyber-attack and not harbour cyber terrorists. But diverging views on the usefulness of conceptualizing cyber-conflict as international conflict and on the most effective ways to prevent and frame it make coming to a universal agreement currently impossible.

Progress may therefore be more rapidly achieved on the regional level. The EU, for example, is working on an inter-institutional response. A European Cybercrime Centre is to become operational at Europol's headquarters in January 2013 and, recognizing the need to agree on common definitions, the European Network and Information Security Agency (ENISA), the EU's 'hub' for information exchange in the field of information security, is trying to define standards. Additionally, the EU is working on a directive on the criminalization of cyber-attacks and pressing States to ratify the Council of Europe's Budapest Convention (2004), which aims to create a common criminal policy against cyber-criminals. Yet it should be stressed that cyber-conflict knows no borders, and that, although progress at the regional level should be welcomed, a merely regional approach is insufficient if it is not aligned to approaches of international partners.

Despite the clear and urgent need for more comprehensive solutions a quick fix should not be expected, however. It is worth recalling that only 20-30 years after the advent of nuclear weapons arms control systems were put into place. Alternatives such as cyber-confidence-building measures are therefore of key importance to fill the gaps until more weighty international action is taken. While the conditions for the establishment of such global legal regulatory framework for inter-state conflict and criminal threats to global electronic network security are unlikely to be adopted in the near future, the journey towards it can almost be an end in itself.