Systemic Threats Require a Systemic Response

The future of the cyber landscape looks pretty bleak. The past two decades have seen the proliferation of offensive tools and operations in cyberspace by state and nonstate actors. Organized criminals divert widely used technologies for profit and disruptive attacks. Cyber arms, offensive tools and concepts of attack developed by one state can be reused by other states, leading to a cyber arms race. Cyber threats have become more hybrid, as an increasingly diverse cast of malicious actors combine different methods and operating modes against a greater variety of targets to create ambiguity. Meanwhile, digital transformation, accelerated by the COVID-19 pandemic, has expanded the attack surface exponentially, generating even more vulnerabilities.

As a result, cyber threats are increasingly systemic. This rapid, massive and uncontrollable propagation of attacks threatens the security and stability of cyberspace itself. But the threat extends beyond. The consequences — intended or unintended— can be severe, potentially disrupting the stability of societies that have grown highly dependent on digital data and technologies. We rely on digital technologies and data to solve the complex challenges we face for our collective security, such as pandemics or climate change. The last wave of ransomware attacks that hit hospitals amid the pandemic starkly illustrate these issues. Such attacks threaten international peace and global security.

Yet despite devastating attacks at a global scale, the perception of this systemic risk does not seem to prevail. Cyberspace is first and foremost regarded by states as a field of strategic competition and confrontation. Given the exacerbation of geopolitical tensions between great powers, countries have no incentive to regulate cyber espionage or give up their offensive capabilities. Instead, they have engaged in a cyber arms race that has begun to backfire.

Cyber threats have become more hybrid, as an increasingly diverse cast of malicious actors combine different methods and operating modes against a greater variety of targets to create ambiguity.

International discussions on norms of responsible behavior and the application of international law to cyberspace have certainly encouraged self-restraint, but this multiplicity of dialogues and processes seems to have reached a stalemate.  States are struggling to deter harmful behavior while preserving their own margins of maneuverability in cyberspace. All too often, the policy emphasis has been put on “naming and shaming” and assorted threats of punishment, with mixed results. Attribution of attacks is difficult and uncertain in cyberspace, and deciding on the
appropriate response can be challenging, as most of the attacks are either ambiguous, motivated by intelligence, or just below the threshold of what could trigger a countermeasure under international law. Additionally, many attacks are perpetrated by nonstate actors, who often operate with total impunity due to insufficient international cooperation in the implementation of cybercrime laws. 

Given these shortcomings, we need to focus on a stronger defense involving all stakeholders to address this systemic risk. Governments, academia, civil society and the private sector must cooperate closely to encourage capacity building, reinforce the security of digital products, train the workforce, elaborate meaningful cybersecurity strategies and policies, and improve cooperation on threat analysis and incident response. Such efforts have been initiated by multiple bodies, including the Paris Call for Trust and Security in Cyberspace and the Global Forum on Cyber Expertise, but they need to be expanded at scale and across the globe. We must also  invest in education and research to gain deeper understanding of our vulnerabilities and strategic dependencies to better anticipate and manage cyber risks.

A good defense can deter attackers because it becomes too costly to mount an attack, except perhaps for state-backed actors who have deeper pockets and more substantial resources to achieve their strategic goals.  Stakeholders also have a role to play in demanding cyber stability through the commitment of states to international law, norms of responsible behavior and confidence building measures, along with the international cooperation and the nonproliferation of cyber arms.

Ultimately, our societies are far too dependent on cyberspace and digital technologies to tolerate the constant threat of attack. All responsible state and private partners should work together at strengthening our defenses to defeat malicious actors and end this cyber arms race to the bottom.