Distinctions between offline and online conflicts are blurring as tools and tactics deployed in cyberspace trigger real world consequences.
In Mexico, for example, commercial spyware has been used to spy on journalists and activists investigating government complicity in corruption and human rights violations. The WannaCry ransomware that caused the shutdown of the United Kingdom’s National Health Service, cancelling thousands of medical appointments and operations, was allegedly sponsored by North Korea and employed tools pilfered from the United States’ National Security Agency. In Xinjiang province, Chinese authorities are using a combination of mass surveillance, online censorship, DNA collection, and artificial intelligence at an unprecedented scale leading to the preventative imprisonment of hundreds of thousands of ethnic Uighurs. State-sponsored misinformation campaigns have interfered with democratic institutions and undermined national elections – from the United States to Kenya.
Although cyberattacks have not yet led to loss of life, we should not wait until they do serious harm to start thinking about how international efforts to protect civilians from conflict offline might help inform efforts to protect human rights, democratic norms, and broader security of civilians online.
In recent years governments, companies, and civil society organizations have all recognized the importance of protecting human rights online; yet the international community has failed to fully uphold these core principles in cyberspace. In 2017, efforts to establish norms of responsible state behavior in cyberspace through a UN Group of Government Experts deadlocked amid acrimony about the militarization and the application of international humanitarian law online. Nonetheless, the increasing number and severity of state-sponsored cyberattacks against civilians has led to a pressing need to establish clearer norms of behavior.
Back in the 1990s, when conflicts in the Balkans and Africa’s Great Lakes region put the protection of civilians on the international agenda, the international community began to develop a range of norms and institutions, such as the Responsibility to Protect doctrine and the International Criminal Court. Some initiatives were multilateral in nature while others were entirely independent of states. In a similar vein, Microsoft has recently proposed establishing a digital analogue to established civilian protection instruments, advocating for the creation of a “Digital Geneva Convention” to protect civilians from nation-state cyberattacks. This effort has brought unique public attention, but many experts have expressed concerns that the Geneva Conventions is the wrong model for this issue. While Microsoft’s concept is a step in the right direction, we think there are better examples drawn from existing models of international conflict reduction in which to look towards. We propose several alternative ideas for preventing conflict in cyberspace from harming civilians.
First, the international community needs to achieve greater consensus about what norms constraining state cyberattacks against civilians would look like. The process that established human rights responsibilities for multinational companies and created the UN Guiding Principles on Business and Human Rights offers insight. In the early 2000s, longstanding efforts by certain governments to hold transnational companies accountable for human rights violations culminated in a UN sponsored code of conduct that was ignominiously rejected by governments and companies alike. In 2005, UN Secretary General Kofi Annan tasked John Ruggie with breaking the deadlock and clarifying respective human rights responsibilities of states and companies. Years of painstaking consultations culminated in the “Protect, Respect, and Remedy framework” and the UN Guiding Principles on Business and Human Rights, which created a shared understanding of roles and responsibilities for human rights in the private sector. As Rose Kimotho of the Institute for Human Rights and Business put it: “The UNGPs have shifted the conversation from whether business have human rights obligations to whether businesses are doing enough to prevent, mitigate and redress violations associated with their operations.”
A similar consensus building effort regarding norms of appropriate state behavior in cyberspace might prove helpful. The UN Secretary General could swiftly establish and appoint a representative for civilian protection in cyberspace. In this role, someone with appropriate stature and skills could work with governments, the private sector, and civil society to lay the groundwork for a rights-based and civilian protection-centric approach to cyber norms.
Second, international advocates should consider whether establishing a non-governmental organization dedicated to civilian cyber protection issues could make a positive difference. The International Crisis Group (ICG) was born out of a conversation Mort Abramowitz and Mark Malloch Brown about the inadequacy of the global response to the Balkans crisis. They proposed establishing an independent organization that would press for international action to stop violent conflict. Working independently from states but with legitimacy derived from an expert staff of former diplomats and journalists, ICG is an instructive example of how “Track II” diplomacy grounded in expertise can have a positive impact on international crises when multilateral methods fall short.
Another relevant example is Crisis Action, an NGO formed in 2005 to catalyze joint action by humanitarian and human rights organizations. Crisis Action is purely a coordination body that develops opt-in coalitions to work on particular conflicts around the world. A similar initiative for cyberspace could provide an impartial convener of groups with shared values and expertise to work collectively in response to specific cyber threats, whether they emerge from a particular geography or involve specific tactics (e.g. botnets or ransomware).
It is worth noting that some of the most accomplished technical experts in the field of attribution have urged an international approach that is not centralized under any one organization, be it a UN body or an independent organization. The actors involved in security research and attribution include everyone from academics and NGOs to cybersecurity consulting firms, security teams at the major tech companies, independent security researchers, and intelligence and security agencies. Putting aside the thorny issue of involving government agencies in this work, there may be utility in bringing the decentralized network of academic and NGO researchers under a formal umbrella.
Finally, the UN could consider establishing independent experts to monitor and investigate cyber-attacks against civilians when they occur. Such a multilateral model already exists. When the UN Security Council establishes an arms embargo or sanctions regime for a particular country or region, it tasks “panels of experts” who operate under the UN but independently of states to monitor implementation and recommend targeted sanctions against individuals and entities who are in violation. These panels are by no means perfect. Their efficacy depends on the capacity and determination of the experts themselves, and their reports and recommendations are subject to the political pressures of states. Nonetheless, deploying such a mechanism could be one way to put experts from academia and the private sector to work in an independent capacity to document cyber-attacks against civilians under the aegis of the United Nations.
The loose constellation of norms and institutions that have arisen in the past quarter century to protect civilians from armed conflict and mass atrocities are by no means perfect. Conflict continues to rage in many parts of the globe, and the commission of mass atrocities has not ceased (although it has diminished). Nonetheless, such efforts have made a big difference in mitigating violence against civilians and shifting state behavior. We believe that more collaboration between offline and online efforts to protect civilians will pay important dividends. The world has been fortunate that cyberattacks have yet to result in significant casualties in the real world. That may change in the coming years. Now is a crucial moment for the international community to act and forestall real harms that may accrue from increasingly reckless and threatening cyberattacks against civilians.