Even though the war in Ukraine has only been waged for a few months as of this writing, there are already a number of important legacies that are worth exploring including its implications for the future of cybersecurity norm building, and more broadly the drive for cyber peace. In the opening days of Russia’s invasion, for example, Ukrainian defenders with help from Microsoft and NATO, revealed a wiper malware that was reportedly “aimed at the country’s government ministries and financial institutions.”1 Left unchecked, the worm could have crippled vital Ukrainian government services, dulling their military response and mobilization, along with causing widespread confusion in the broader population.
Offensive cyber behavior has not been limited to the Ukrainian theatre, either. Since the latest chapter of the Russian invasion began in February of this year, attacks on, in, from and via cyberspace have taken place—by state and non-state actors—around the world in places like Estonia,2 France,3 the United States,4 and Russia.5 As a result, lesson from the war in Ukraine is the potential for long-tried cybersecurity standards and strategies – including deterrence-by-denial, information sharing, and public-private partnerships – to be effective in blunting the ambitions of even sophisticated nation states. But another, perhaps more disturbing lesson is that all the work that has been done to define and instill cyber norms in recent years has not held back the ambitions of Vladimir Putin.
Indeed, a world best by pervasive cyber insecurity along with an active shooting war in Ukraine,6 it may seem odd to discuss the prospects for cyber peace. From ransomware impacting communities around the world,7 to state-sponsored attacks on electrical infrastructure,8 to disinformation campaigns spreading virally on social media, we seem to have relatively little bandwidth left over for asking the big questions, including: what is the best we can hope for in terms of “peace” on the Internet, and how might we get there?
Cyber peace is not a finish line, but rather is an ongoing process of due diligence and risk management as we argue in our new edited volume. In this way, a positive cyber peace may be defined as a polycentric system that: (1) respects human rights and freedoms, (2) spreads Internet access along with cybersecurity best practices,9 (3) strengthens governance mechanisms by fostering multi-stakeholder collaboration,10 and (4) promotes stability and relatedly sustainable development.11 These four pillars of cyber peace may be constructed by clarifying the rules of the road for companies and countries alike to help reduce the threats of cyber war, terrorism, crime, and espionage to levels comparable to other business and national security risks. This could encourage the movement along a cyber peace spectrum toward a more resilient, stable, and sustainable Internet ecosystem with systems in place to “deter hostile or malicious activity”12 and in so doing promote both human and national security online and offline.13
Increasingly we see that conflict is converging across domains: the goals and emotions driving war are not differentiated according to the physical or virtual worlds. While some research suggests that cyber options may lead to a reduction in violence,14 there are other studies that point in the opposite direction.15 What we might take away from the digital dimensions of the Russo-Ukraine War is that states fight in cyberspace the same way they fight in the physical world. To expect that Russia would ‘fight fair’ digitally when they are clearly not doing so on the ground in places like Bucha or Mariupol appears ludicrous. Indeed, as one observer points out, “Being a responsible power means [a state] will have to go the extra mile in terms of how it targets computer systems or networks, minimizes collateral damage, and tests its capabilities. The result is a longer, costlier and potentially frustrated process, which could ultimately reduce effectiveness and performance.”16 In other words, cyber peace, like all forms of peace, is not the default setting. It takes considerable effort—before during and after conflict—to achieve.
1 See David E. Sanger, Julian E. Barnes, & Kate Conger, As Tanks Rolled into Ukraine, So Did Malware. Then Microsoft Entered the War, N.Y. Times (Feb. 28, 2022), https://www.nytimes.com/2022/02/28/us/politics/ukraine-russia-microsoft.html. 2 DDoS Cyberattacks Temporarily Disrupt Estonian Foreign Ministry Website, ERR News (May 9, 2022), https://news.err.ee/1608591475/ddos-cyberattacks-temporarily-disrupt-estonian-foreign-ministry-website 3 Suzanne Smalley, How the French Fiber Optic Cable Attacks Accentuate Critical Infrastructure Vulnerabilities, Cyber Scoop (Apr. 28, 2022), https://www.cyberscoop.com/french-fiber-optic-cables-attack-critical-infrastructure/. 4 Carly Page, Viasat Cyberattack Blamed on Russian Wiper Malware, Tech Crunch (Mar. 22, 2022), https://techcrunch.com/2022/03/31/viasat-cyberattack-russian-wiper/. 5 See Ariella Mardsen, Anonymous Hacks Russian Federal Agency, Releases 360,000 Documents, Jerusalem Post (Mar. 10, 2022), https://stgdesktopcore.jpost.com/breaking-news/article-700940?utm_source=pocket_mylist; Christopher Ankersen, Deterrence is always about information: A new framework for understanding, in Eric Oulette, ed. Deterrence in the 21st Century (University of Calgary Press, forthcoming.See also Scott J. Shackelford, Inside the Drive for Cyber Peace: Unpacking Implications for Practitioners and Policymakers, __ Univ. Cal. Davis Bus. L.J. __ (2021). 6 See, e.g., The Growing Threat of Cyberattacks, Heritage Found., https://www.heritage.org/cybersecurity/heritage-explains/the-growing-threat-cyberattacks (last visited Feb. 20, 2020). 7 See Luke Broadwater, Baltimore Transfers $6 Million to Pay for Ransomware Attack; City Considers Insurance Against Hacks, Baltimore Sun (Aug. 28, 2019), https://www.baltimoresun.com/politics/bs-md-ci-ransomware-expenses-20190828-njgznd7dsfaxbbaglnvnbkgjhe-story.html; Karen Husa, Panama-Buena Vista Union School District Computers and Phones attacked by Ransomware, KGET (Jan. 17, 2020), https://www.kget.com/news/local-news/panama-buena-vista-union-school-district-computers-and-phones-attacked-by-ransomware/. 8See, e.g., Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers 2 (2020). 9 Though, there is a case to be made that Internet access itself should be considered a human right. See Carl Bode, The Case for Internet Access as a Human Right, Vice (Nov. 13, 2019), https://www.vice.com/en_us/article/3kxmm5/the-case-for-internet-access-as-a-human-right. 10See Shackelford, Beyond the New Digital Divide, supra note 41. 11 Advancing Cyberstability, Global Commission on the Stability of Cyberspace 13 (2019), https://cyberstability.org/wp-content/uploads/2020/02/GCSC-Advancing-Cyberstability.pdf. 12 Obama White House, The Comprehensive National Cybersecurity Initiative, https://obamawhitehouse.archives.gov/node/233086 (last visited Nov. 10, 2017). 13 See James A. Winnfield, Jr., Christopher Kirchhoff, & David M. Upton, Cybersecurity’s Human Facto: Lessons from the Pentagon, Harv. Bus. Rev. (Sept. 2015), https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon, along with the work on human factors. 14 Brandon Valeriano & Benjamin Jensen, “De-escalation Pathways and Disruptive Technology,” Cyber Peace: Charting a Path Toward a Sustainable, Stable, and Secure Cyberspace. Cambridge University Press: 2022. 15 Jacquelyn Schneider, Benjamin Schechter, Rachael Shaffer, “A Lot of Cyber Fizzle But Not A Lot of Bang: Evidence about the Use of Cyber Operations from Wargames,” Journal of Global Security Studies, Volume 7, Issue 2, June 2022. 16 Max Smeets, “Going the Extra Mile: What It Takes to Be a Responsible Cyber Power,” Lawfare Blog, Wednesday, May 11, 2022, 8:01.