Not espionage as usual

Event report

While good uses of espionage maintain peace and security and avoid conflicts, espionage today is used in an indiscriminate manner. Espionage is a pervasive, unique, and insidious threat stated Mr Stéphane Duguin (Chief Executive Officer, CyberPeace Institute). Most state sponsored attacks are done for espionage purposes (2021 Microsoft Digital Defense Report (MDDR)), added Ms Kaja Ciglic (Senior Director, Digital Diplomacy at Microsoft).

In this session, concerns were expressed regarding spying on civil society and normal citizens, using such tools as NSO, Pegasus, and cyber mercenaries, by governments. The financial strength of some cybercriminal groups matches that of small countries. Concern was expressed regarding attacks on hospitals and health care data; these attacks need to be treated differently, shared Dr Talita de Souza Dias (Postdoctoral Research Fellow at the Oxford Institute for Ethics, Law and Armed Conflict (ELAC)) and these should be off limits.

From the industry perspective, espionage attacks such as the Solarwinds are problematic, mentioned Ciglic. It raises concerns regarding and distrust of critical functions that keep the internet safe (such as the software update mechanism). Additionally, the consequences of such attacks are much broader. While in the traditional offline world, espionage is understood as a person following another in order to obtain information, in cyber espionage,  the attacks affect the products and services of millions of people.  An attack may affect everyone that uses the service regardless of whether they were the target or not. Such attacks not only pose a challenge for users and their rights, but also for big companies, as they have to withstand on a daily basis attacks from either government or government-sponsored actors. Dr Serge Droz (Forum of Incident Response and Security Teams (FIRST)) added that such attacks open up vulnerabilities that are misused by others.

Rather than looking at espionage as a state controlled and forced capacity and market, it is necessary to acknowledge the existing industry-led market that is developing and setting the tools, Duguin pointed out. Souza Dias added that it is necessary to understand the specificity of the types of operations from an international law perspective when dealing with the attacks.  While it may not apply specifically to espionage, different international rules might be applicable.

On the argument that cyberweapons may help to level the field for countries, Ciglic suggested that ‘as you level the field, you are in danger of destroying the field in the process’. If espionage is considered okay and if it is acceptable for companies and organisations to offer cybersecurity solutions, the challenge lies in lack of agreement or adoption of the definition of responsible use of cyber security technologies, opined Droz. He further added that smaller nations have a disadvantage and powerful states need to take more responsibility.

Souza Dias considers that the establishment of rules and boundaries for espionage would be helpful. More research on the scale of espionage and supply chain attacks is needed. While we have some idea of the degree of malicious operations globally, a lack of academic research data hinders progress,  Droz pointed out. Most of the data available is biased as it is presented by security companies who base their analysis on a specific set of data without considering all actors and parameters.

Investment in capacity development by the states is important; it is also vital to establish rules and boundaries for espionage, to focus on implementation and hold actors accountable, to adopt greater transparency and understanding of what is happening, to focus on prevention.  Different experts must be brought together to provide specific guidance in how international law and the norms of responsible state behaviour must be implemented. While the UNGGE report has few measures on obligations of victim states, specific technical standards for states and their cybersecurity teams should be developed and put in place to prevent attacks, shared Souza Dias.

By Amrita Choudhury

Session in numbers and graphs

Automated summary

Diplo’s AI Lab experiments with automated summaries generated from the IGF sessions. They will complement our traditional reporting. Please let us know if you would like to learn more about this experiment at ai@diplomacy.edu. The automated summary of this session can be found at this link.