Quantifying peace and conflict in cyberspace

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

It is difficult to diagnose the state of peace and conflict in cyberspace. Greater accuracy should be established, based on various indicators.The Global Peace Index, developed by the Institute for Economics and Peace, can be used as a starting point. Mr Serge Stroobants (Institute for Economics and Peace, Australia) posed three questions for consideration:

1. What are the current trends in cyber conflict today? Do we consider a cyber-attack as the lesser evil in conflict and can it replace kinetic warfare?
2. What data indicators we can use to measure cyber conflict?
3. What is the role of civil society, SMEs, and technical industry in creating peace in cyberspace?

It is difficult to measure peace in cyberspace because of geopolitical tensions and ambiguity when countries are attackers and victims at the same time, said Ms Latha Reddy (Global Commission on the Stability of Cyberspace). Also, it is difficult to distinguish between national cyber-attacks, that happen within the state, and international attacks: ‘It’s easier to compare two countries, but how would you then create an index that also looks at how peaceful a country is in cyberspace in their own territory or among users in their own space?’ Reddy also pointed out that the number of attacks as an indicator can be misleading since many of them are not disclosed due to risks to reputation or national security concerns. Instead, she suggested using indicators of resilience of each country in regard to cyber-attacks. In relation to the issue of lesser harm from cyber-attacks in contrast to kinetic war, Reddy objected that it highly depends on the sector that suffers an attack. ‘Unfortunately, or fortunately, we haven’t faced the terrible cyber-incident that has been forecast for so many years and which would frighten people into regulating this space, but it does not mean that the damaging potential does not exist’.

Another trend for peace and conflict in cyberspace is the multi-polar distribution of cyber capabilities. According to a study by DiploFoundation, more than 50 states openly confirm the possession of offensive cyber capabilities. That brings more instability to the international system, says Ms Marilia Maciel (DiploFoundation, Digital Policy Senior Researcher). She also pointed to the proliferation of offensive cyber technologies among non-state actors, including organised crime, due to the decreasing cost of such technologies. Absence of consensus on how to apply international law to cyberspace, together with blurring of lines between traditional kinetic and cyber operations only adds to cyber-insecurity. Maciel also pointed to the need of a clear definition of the relevant data sources needed to develop metrics of peace in cyberspace. Metrics developed by ITU, GFCE are useful, but do not show the whole picture. She suggested taking into account how states address freedom of information when fighting with misinformation.

Several years ago some experts were against governmental regulation in many areas of the Internet; now, however, different companies are calling states for regulation of areas like misinformation and facial recognition. Additionally, SMEs are missing in the regulation debates, but they are important for supply chain security.

Ms Izabela Albrycht (Chair of the European Committee Cybersecurity Forum) spoke on the thresholds of cyber-attacks after which point they become an armed attack. ‘So, a cyber-attack would be an individual act intended to cause damage, destruction, or cause casualties. There is also a grey area since when we think about disruption, particularly the disruption of services and data, it should correspond to the level of the use of force’. Cyber-weapons are in many ways as dangerous and inhuman as chemical or biological ones, we can observe militarisation of cyberspace with new technologies that have a potential to become hard power for state actors.

Albrycht added to the discussion of possible indicators to measure peace and conflict in cyberspace:

1. a measure of the gravity of cyber-attacks
2. a measure of the number of data breaches and their gravity
3. indicators showing the likelihood of being a country of origin of a cyber-attack, after the public attribution at different levels of certainty that it happened
4. a number of conventional reactions to cyber-attacks, for instance, economic sanctions, diplomatic measures, cyber military expenditure as a percentage of GDP
5. the likelihood of being the country of origin of disinformation after the public attribute again, or the different levels of certainty

Finally, Ms Liga Rozentale (Microsoft, Director on EU Policy on Cybersecurity) shared the Microsoft cybersecurity routine: ‘We detect five billion cybersecurity threats a month and assess six and a half trillion signals daily – does this statistic tell you if there is more peace in the world? Not particularly, but over the course of years you can say there are more attacks, detect more signals, try to do more to avert the attacks but doesn’t necessarily indicate what happens to peace’. While referring to various reports and documents of international organisations, Rozentale recalled the Paris Call, which now has over a thousand endorsements from states, civil society, academia, and industry. ‘This number alone is not what will influence peace. It will be the actions taken to implement the nine principles of the Paris Call that I think will bring about peace that is unfortunately not so easily quantifiable’.

By Ilona Stadnik