Europe’s successful Cold War confidence-building applied in cyberspace

As inter-State tensions and conflicts in cyberspace rise, the Organization for Security and Cooperation in Europe (OSCE) keeps pursuing a unique effort to build confidence among its 57 members, which includes the US and Russia.

Today, the Informal Working Group of the OSCE on Cyber Confidence Building Measures (CBMs) discusses the conclusions and recommendations from the workshop that the Australian Strategic Policy Institute (ASPI) organized on 7 September in Vienna, Austria. The Scenario-based Facilitated Workshop on OSCE Cyber Confidence Building Measures aimed to validate a set of Cyber CBMs that the 57 member countries agreed to in 2016. As the

Source: Wikipedia. Green = participating States; orange = partner States.

OSCE’s membership comprises States like the US, UK, France, Germany and the Russian Federation, these agreements bear some significant weight.

The experts from ASPI’s International Cyber Policy Centre guided officials from the various States through a full day scenario of a cyber crisis that emerged into a regional crisis. It demanded government representatives to identify and think of technical responses, legal implications, policy coordination and diplomatic relations. In particular, the officials had to assess at what stage information-sharing and response coordination required a concerted international effort.

Participants watching part of the scenario clip. Photo by: Tom Uren

The OSCE Cyber CBMs constitute the most advanced and detailed CBMs in use by a multilateral forum and, although they are voluntary, they form the basis for the further development of state practice and norms. Completely surprising this may not be given the Organization’s roots in building confidence between the two ideological adversaries of the Cold War: Washington and Moscow.

A history in effective risk reduction

From the 1970s onwards, the Organization — first called Conference on Security and Cooperation in Europe — developed a standing practice of exchanging military information, implementing measures on the control of small arms and convention ammunition, running a secure Communication Network and keeping track of military inspections and evaluation visits. Inspired by the work of the UN Group of Governmental Experts (UNGGE), some leading States within the OSCE initiated discussions in the early 2010s to see whether similar practices may have relevance to risk reduction in cyberspace.

In two stages, first in 2012 and later in 2016, the 57 OSCE participating States agreed by consensus on a set of 16 Confidence Building Measures that reduce the risks of conflict stemming from the use of ICTs. The measures can be traced back to three core factors:

• Which channels can a State use to reach out to the Authorities of a State from where threats emerge;
• Which persons in that other State can be contacted at the appropriate level to request information;
• What process is in place that guides these efforts and which both the requesting and answering State can rely on;

The Diplomatic Challenges in Cyber

In the physical world, this may appear straightforward. A State can identify and verify potential adversaries, approach the responsible authorities, verify whether international law is violated and refer to its diplomatic channels to counter or contain the threat. Above all, there is plenty of case materials that have tested these provisions.

In the cyber world, this is far more complex. States deal with a colorful set of uncommon stakeholders like CERTs, Industry, Registries and Registrars, civil society, hacking groups, Internet Service Providers etc. This goes beyond the mere notion of multistakeholderism.

The role of international law, despite a general agreement at the UN level of its applicability in cyber and the impressive work on the Tallinn Manual 2.0, remains ambiguous to this day. Think simply of questions like: when does a cyber attack constitute a deliberate attack on another State? What does non-interference and territorial integrity mean in cyberspace? How to distinguish between military (legitimate) and civilian (not legitimate) objects?

Above anything else, proper observation and verification of ICT-related information are tremendously challenging. Attribution of a cyber threat as a deliberate political act by another State is therefore easily contested and hardly ever 100% evident. You can read the reticence to name culprits and disclose evidence for attribution in this week’s CBC story on State-sponsored attacks against Canada. Still, attribution is possible and it occasionally happens. A well-known example is the imposition of US sanctions on North Korea after the White House attributed the Sony Hack as a deliberate act to Pyongyang.

The Confidence Building Measures

The OSCE Cyber CBMs are a first formalized — and agreed — attempt among the 57 participating States. What do they say?

2016 Decision by the OSCE Permanent Council establishing 16 Cyber CBMs

• The States shall establish authorized and protected communication channels. They may use the OSCE proper secure Communications Network to request information on issues related to cyber.
• The States must nominate a so-called Point of Contact at the technical level (those that manage ICT-related incidents) and at the policy level (to permit concerns raised at the national security level).
• The States will hold consultations in order to reduce the risks of misperception and of the possible emergence of political or military tension.

Now, when a cyber incident grows into a threat originating from — or worse being authored by — another member State, there is at least a framework in place that allows for de-escalation and prevention of (further) conflict.

What does the OSCE example tell us?

The OSCE represents a unique case of inter-governmental convergence around a set of the confidence-building measures specified to the cyber domain. Despite significant tensions, opposing ideologies and different levels of cyber maturity among the States, it is evidently possible to engage in open and transparent dialogues. The ASPI-facilitated workshop on 7 September was a case in point and is an act of confidence-building in itself.

Exercises like these allow States to reflect on their own level of maturity in a safe learning environment and take back homework. For assessing the effectiveness of any crisis management arrangement, the proof of the pudding is in the eating. This is something we should want to prevent. In the meantime, more workshops, dialogues, and exercises will follow and the example of the OSCE may be followed by more regional organizations.

Bart Hoogeveen is an analyst in ASPI’s International Cyber Policy Centre (ASPI Cyber Policy). Follow him on Twitter @BartHoogeveen