Many malicious cyber activities may well be state-sponsored or state-driven. As cyber activities allow global operations, cyber actors can reach effects beyond their own state borders. State actors usually operate in cyberspace according to specific duties and responsibilities as regulated by international law. However, in addition to this regulated type of behaviour, states also demonstrate unlawful behaviour on the internet. Actual state behaviour that is jeopardising international peace and stability encompasses anonymous operations, cyber espionage, the use of proxies, knowingly allowing malicious activities, the use of military cyber capabilities for offensive purposes, and the conduct of covert operations.
A common understanding of malicious cyber activities as worldwide threat to international peace and security has resulted in the ambition to develop politically-binding confidence-building measures for cyberspace. By establishing non legally-binding norms for responsible state behaviour cyber confidence-building measures (CCBM) aim to enhance predictability, security and stability. The development, acceptance and implementation of such measures may help prevent potential destabilisation. But why is it that, despite various international, multilateral, bilateral and local initiatives, to date, such measures have only materialised to a limited extent?
It appears that ten stumbling blocks complicate reaching a global agreement. Different interpretations and the lack of common definitions hamper a sound debate. The discussion is compounded by the large number of stakeholders; each with their own concerns, interests, norms and values. Furthermore, the usual mutual distrust between the major world powers hinders the creation of worldwide measures. They use proxies to evade or deny legal or political responsibility. And although transparency may reduce distrust and fear, states are not likely to give up their large degree of anonymity in cyberspace.
A cyber-weapon is nothing more than computer code; easy to deny and difficult to detect. CCBM ruling out the design, development, production, or testing of cyber-weapons seem unlikely. In addition, when conflicts are triggered intentionally, CCBM are of limited use. The skills, knowledge and means that are necessary for cyber defensive purposes are rather similar to these used to execute offensive activities. CCBM that would exclude particular cyber skills or means, or which would entail a ‘no first use’ declaration seem, therefore, unrealistic. Non-binding measures that, beyond the current international Law of Armed Conflict (LOAC), would exclude specific (cyber) targets from (cyber) attacks, seem unfeasible. Due to cyberspace’s features, three characteristics for successful measures (i.e. local ownership, multi-level implementation and verification) can hardly be complied with. And finally, devastating major cyber-incidents with a worldwide impact have not yet taken place, resulting in a lower sense of urgency to develop and implement worldwide measures.
In theory, all necessary ingredients to mitigate the risk of cyber incidents into interstate armed conflict are within the power of states. In practice, the level of distrust and fundamental different values between states appear to be so high that agreement on even ‘simple’ norms cannot be reached. The discussions around cyber confidence-building measures are only partially a technological challenge. To a much larger extent it is a human behaviour problem, primarily related to trust and confidence in both technology and other people. Unless game-changing worldwide cyber-catastrophes occur, it is unlikely that worldwide acceptable, politically-binding CCBM will be created and implemented. Cyber confidence-building measures will appear to be illusory.