OSCE: Challenge of a security regime based on unknowns

Cyber warefare has become a hot topic in the international community. What sounds like from a Sci-Fi movie, has become a realitstic scenario nowadays.

The panel offered a very lively debate on cyber security, the fifth dimension of warfare after land, sea, air and space. This classification puts it on the same lines as conventional warfare, which suggests the increasing impact cyber security will have in areas like foreign policy. The panel was made up of representatives of international organisations, such as NATO and the OSCE as well as well as academia and the private sector giving an incredibly interesting insight into their respective fields and enabling the audience to see their common ground and ways of cooperation.

For Ben Hiller, OSCE Cyber Security Officer, the major challenge of cyber security is the use of information technology by states and state sponsored entities, which is spiralling out of control. While it is likely that states were involved in recent cyber attacks, the attribution of these attacks still remains difficult, which may over time escalate into conflicts. To address this, states should communicate on their capacities and draw red lines, giving other partners more insight into what is and is not acceptable for them. The key word here is confidence: Confidence Building Measures (CBM) are ”the maximum and the minimum the OSCE can do”. The OSCE plays a major role in it, since it is the only international forum that achieved an agreement on practical measures between what are traditionally called Eastern and Western states.

The increasing recognition of cyber security as a domain of foreign policy was further emphasized by Chelsey Slack, NATO Policy Officer on Cyber Defence. The NATO’s 2016 Cyber Security pledge illustrates the importance of this field also for the NATO allies and its partners. Cyber security is a « team sport », Mrs. Slack joked. It involves not only member states, but also other partners like the EU, industry or academia. The NATO offers a platform for them to share information and coordinate their action regarding cyber security, from pre-emption to reaction.

Coordination between actors is indeed crucial, Nemanja Malisevic agrees, who works as a Senior Security Strategist for Microsoft. He emphasised the importance of Private Public Partnerships (PPP), which are highly discussed but still difficult to implement in an effective way. Drawing further on the role of private entities, the specialist brought up the establishment of norms by companies, something that Microsoft has been developing in various countries.  Enhancing cyber-security norms and CBMS to determine state and industry responsibility is thus a crucial policy area. A second idea which could further cyber security would be the creation of an independent institution where public and private actors could cooperate with experts. The aim of such an institution would be to conduct a technical analysis of the attacks and to identify who is responsible for the attack.

Guido Gluschke, Director of the Institute for Security and Safety (ISS), also drew greater attention to the role of different actors and the way they could coordinate to address cyber threats. Indeed, the ambiguities of cyber security go beyond the question of attribution, they revolve around two main challenges: firstly to understand the threats correctly and secondly to detect and give a proportionate response. The first difficulty is that states don’t have a clear understanding of what is going on. They therefore need to classify the threats to be able to respond accurately.  The second difficulty is about how to organise a reaction process: who is responsible in this process? At what level does security need to be organised, and with which actors? Gluschke built on Malisevic’s remarks about the involvement of private companies. For him, PPP is a positive point but the private sector should really be integrated into the architecture of a security regime, which should go beyond the nation state.

Harknett, the moderator of this panel perfectly captured the ambiguity of cyber security starting already at the detection level and reaching to the reaction level.

The danger of cyber attacks isn’t indeed only about the attacks themselves but about their consequences on interstate relations. Therefore, a key idea that ran through the intervention of all panellists was the need for transparency and cooperation to build an effective security policy.