Cyber Diplomacy and Writing the Rules in an Invisible Domain
The challenge of regulating state behavior and preventing and regulating conflict in cyberspace is as daunting as it’s urgent.
Actions in cyberspace by governments, businesses, NGOs and other players have become part of international relations and international security. Those actions reflect countries’ national interests and affect their bilateral and multilateral diplomatic relationships. This has led to the rise of cyber diplomacy — the activity of deploying international cooperation in cyberspace and using actions in cyberspace to achieve foreign-policy goals. The main focus of cyber diplomacy is forging a way to regulate state behavior and prevent and regulate conflict in cyberspace. Some governments have extended their cyber diplomacy portfolios to include the foreign-policy implications of new technologies.
This is an excerpt from the book “Diplomatic Tradecraft,” published by Cambridge University Press.
It is important to understand what cyber diplomacy is not. It is not the activity of using digital tools to accomplish traditional foreign-policy objectives — that is the definition of digital diplomacy. For example, when the Covid-19 pandemic shut the world down, diplomats could rely only on digital communications and virtual interactions to do their work, but that did not mean that they engaged in cyber diplomacy, unless their focus was on cyberspace stability and Internet governance. Although all of international diplomacy includes certain interactions between nation-states and the private sector, civil society and other non-state actors, such interactions between and among a variety of stakeholders are much more prevalent in cyber diplomacy.
In 2007, Russia launched the first politically motivated, large-scale, coordinated cyber attack against an entire country — my native Estonia. Its objectives included misinformation, political coercion and inciting violence. Fortunately for Estonia, it was as prepared as any state was at the time. It had held its first online elections the previous year and conducted exercises simulating cyber attacks against both public and private organizations. It is noteworthy that the Russian campaign had been calibrated as a “below-the-threshold operation” — it was significantly disruptive and harmful, but it fell short of armed conflict. Had it crossed that threshold, it would have provoked a NATO response — as a member of the alliance, Estonia would have benefited from the collective security clause of Article 5 of the Washington Treaty.
One of the major lessons of the Estonian experience was that governments around the world must have highly qualified cyber experts guarding their most critical networks, anticipating crises and fighting back when they occur. Not long after the 2007 attacks, the Estonian government asked me to lead the development of the country’s first Cyber Security Strategy, and I later coordinated its implementation while managing the National Cyber Security Council. In that and subsequent positions at NATO and the European Union, I watched cyber attacks on two other former Soviet republics, one during Russia’s 2008 invasion of Georgia, which was very similar to the anti-Estonian campaign, and the other — more sophisticated — during Russia’s annexation of Crimea and invasion of eastern Ukraine in 2014.
Western publics became more aware of politically motivated Russian cyber operations during and after the 2016 U.S. election campaign. Similar operations targeted many European countries’ elections both before and after 2016. As Moscow prepared for its 2022 invasion of Ukraine, it attacked the country’s critical civilian infrastructure and continued to do so after the war broke out, but the damage it inflicted was limited, because the Ukrainian government had strengthened its cyber defenses following the 2014 events. Russian information warfare as a political tool is not a new phenomenon but an updated construct that continues to evolve, develop and adapt. For other countries’ responses to be effective, they must be innovative and ahead of Russia’s game.
Although Russia is by no means the only country trying to weaponize cyberspace, its long history of attacks is a vivid example of the need for rules governing international behavior in this relatively new domain.
The U.S. National Institute of Standards and Technology defines cyberspace as consisting of an “interdependent network of information systems infrastructures, including the Internet, telecommunications networks, computer systems and embedded processors and controllers.” It results from “the interaction of people, software and services… by means of technology devices and networks connected to it, which does not exist in any physical form.” Not all elements of cyberspace are connected to the Internet — those that are not connected include industrial control systems of critical infrastructure that provide essential services, such as electricity, water and transport, as well as closed military, intelligence and other systems.
The absence of borders in cyberspace requires a multi-stakeholder governance approach where diplomats pursue a challenging agenda, which includes promoting peace and stability, protecting human rights and conducting economic and other relations in the non-physical realm. For that, governments need help from businesses, academia, NGOs and other organizations. A multi-stakeholder model already exists in the governance of the Internet. As the single interconnected worldwide system of commercial, government, educational and other computer networks that share a set of protocols, it is governed by no single body, but by a myriad of technical, civil-society and governmental entities. Internet protocols are specified by the Internet Architecture Board (IAB), and the name and address spaces are managed by the Internet Corporation for Assigned Names and Numbers (ICANN).
To keep the Internet reliable, it is important to maintain integrity, openness and interoperability as its key attributes that facilitate social and economic progress. Unlike air, space, land and sea, cyberspace is a man-made domain and access to it is not automatic — it is dependent on thousands of information and communications technology (ICT) components produced by different companies, often in different countries. The cumulative complexity of such systems and the relative novelty of cyberspace lead to vulnerabilities that can be exploited for nefarious and malicious purposes.
With 5.3 billion Internet users worldwide in 2022, humankind depends on this technology more than ever. But with enough resources and determination, most IT systems can be accessed by an outside party. Large organizations and those of particular value or prominence are especially vulnerable, because attacks against them usually attract the most attention. Personal devices and systems tend to be less appealing targets to states and criminal groups, although individual users with high visibility and responsibility, such as public officials and celebrities, can become victims of hacking and other malignant activities.
Cyber diplomats help their governments to counter threats and take advantage of opportunities, as noted in previous chapters. In cyber diplomacy, at least in its current phase, the bigger emphasis is on threats, because of their overwhelming number and potential to wreak enormous havoc. It may be helpful to both policymakers and diplomats to think of different levels of threats, based on their impact, and to consider different approaches in trying to mitigate them.
In June 2017, novel malware called NotPetya infected computers around the world. It started in Ukraine — it was designed to infiltrate ICT systems via a popular piece of Ukrainian accounting software — where the authorities blamed Russia, as the cyberattack was an apparent part of the ongoing conflict between the two countries. But the devastation spread far beyond Ukraine, causing more than $10 billion in damages globally. One of its largest victims in the private sector was Mondelez International, a Chicago-based multinational food company, whose products include Oreos and Triscuits, among other well-known snacks. NotPetya disrupted Mondelez’s email systems, file access and logistics for weeks.
The company’s insurance provider quickly denied its claim, saying that its policy did not cover damages caused by war, resulting in a $100 million lawsuit against the insurer, Zurich, which settled it in 2022. The case set off a shakeup of the cyber-insurance industry with far-reaching and lasting consequences. NotPetya also managed to seriously disrupt the global shipping industry by knocking out the systems of one of its largest companies, Maersk of Denmark, for a week.
Ransomware, malware and other cyber attacks on a global level like those perpetrated by NotPetya and WannaCry, which paralyzed Britain’s National Health Service in 2017, can inflict large-scale economic loss and cause crippling disruptions. For example, Covid-19 unleashed an avalanche of cybercrime that touched many parts of the world. “Cybercriminals are taking advantage of the widespread global communications on the coronavirus to mask their activities,” Interpol warned in 2020. “Malware, spyware and Trojans have been found embedded in interactive coronavirus maps and websites. Spam emails are also tricking users into clicking on links which download malware to their computers or mobile devices.”
On a national level, governments are mostly concerned with cyber threats emanating from other states or state-sponsored actors with various purposes, such as supporting conventional warfare, playing a part in hybrid conflicts, espionage, interfering in elections or other internal affairs. On an industry level, cyber attacks can affect entire industries or sectors of the economy, as were the cases with NotPetya’s and WannaCry’s impact on the insurance, healthcare, transport and other sectors. Economic espionage in cyberspace is another serious threat that can cause significant economic losses and distort markets. On an individual level, most end-users have been targets of cyber incidents, and millions have become victims. Home computers with weak cyber security protection are susceptible to hijacking and inclusion in “botnet armies” used for illegal activities like the 2007 attacks on Estonia.
When consumers are affected by cyber incidents, they seek help from private companies — usually, Internet providers or IT firms. But when the victim is a government agency or an entire country, most firms lack the capacity to respond to such crises. So it is crucial for governments to understand the level of cyber sophistication of state and state-sponsored actors, as well as that of organized crime and motivated groups of criminal hackers, which are known as high-end actors. Cyber diplomats can be useful in creating and improving that expertise, tracking those actors’ behavior and monitoring what other states may be doing in response.
Heli Tiirmaa-Klaar is a former ambassador-at-large for cyber diplomacy at the Estonian Ministry of Foreign Affairs, as well as a former chief cyber policy coordinator for the European External Action Service and cyber security policy adviser at NATO.
The above is an adapted excerpt from the book “Diplomatic Tradecraft,” published with permission from Cambridge University Press. © Nicholas Kralev 2024