State-based cyber threats are an increasingly dominant part of the global security landscape. The Organization for Security and Cooperation in Europe (OSCE) has, in recent years, sought to play a leading role in the international system by developing confidence building measures between states to reduce the risks of cyber conflict. The cyber diplomacy at the OSCE features discussions and (voluntary) agreements among 57 participating States – including the United States and, crucially, Russia. Advocates of this approach suggest that, in the longer term, it could lead to the development of norms of state behavior in cyberspace – and thus contribute to greater stability and security in the international system.
On September 28, 2017, the U.S. Helsinki Commission held a briefing on cyber diplomacy moderated by Global Security and Political-Military Affairs Advisor Alex Tiersky. The panelists—Tim Maurer, co-director of the Cyber Policy Initiative and a fellow at the Carnegie Endowment for International Peace; Jaisha Wray, Acting Deputy Director of the Office of Emerging Security Challenges in the Bureau of Arms Control, Verification and Compliance at the U.S. Department of State; and Alex Crowther, Senior Research Fellow and Director of Research at the National Defense University’s Center for Technology and National Security Policy—discussed how OSCE confidence-building measures (CBMs) might work to decrease the risk of cyber conflict. These CBMs are voluntary in nature and allow states to read one-another’s postures in cyberspace.
Mr. Maurer provided the audience an overview of the state-based threats these measures seek to diminish and listed several historical examples, such as the 2007 Distributed Denial of Service (DDoS) attack on Estonia, the offensive cyber activity of the 2008 Russian invasion of Georgia, and the Stuxnet operation. He noted that, in the last decade, there has been a significant uptick in these threats, as there are 30 states that either have or are developing offensive cyber capabilities. Additionally, he applauded the groundwork the United Nations has laid towards addressing this pressing concern.
Ms. Wray communicated the U.S. priority of establishing norms of responsible state behavior in cyberspace. In her view, cyber activity has a unique potential to destabilize, because of its few outside observables and distributed vulnerability. She noted that participating States of the OSCE are currently in the process of implementing the CBMs agreed upon last year.
Dr. Crowther offered a national security perspective on the topic, emphasizing the importance Russian participation in confidence-building. He attributed much of the progress on this issue to the 2015 decision of the Group of Governmental Experts that existing international law applies to cyberspace. In closing, he warned of the danger that cyber-enabled operations in a world saturated with smart devices.