Cyber intrusions do not respect international borders. At this event, the attorney general will discuss how to apply and shape international law in order to ensure the rules-based international system can adapt to the threats – and opportunities – posed by cyber into the future.

With international trade discourse taking an increasingly transactional and sometimes belligerent tone, it would be easy to overlook the quiet revolution currently under way to bring new voices into trade policy development and monitoring. The traditional division of responsibilities between the executive and legislature – whereby treaties are negotiated and signed by the executive, and the legislature does what is necessary to implement them – may be undergoing some change.

Growing awareness of the implications of trade and investment treaties for many aspects of day-to-day life – food standards, employment opportunities, environmental quality, availability of medicines and data protection, just to name a few – is fuelling demands by people and businesses for more of a say in the way these rules are formulated and developed.

Various options for enhancing public and parliamentary scrutiny of trading proposals have recently been examined by two UK parliamentary select committees.[1] The reason for this interest is obviously Brexit, which has presented UK civil servants and parliamentarians with the unusual (some would say exciting) opportunity to design an approval and scrutiny process for trade agreements from scratch.

Doubtless, EU authorization, liaison and approval procedures (which include a scrutinizing role for the European Parliament) will be influential,[2] as will the European Commission’s experience with stakeholder engagement on trade issues.[3] The recommendations of both UK select committees to include human rights impact assessment processes as part of pre-negotiation preparations[4] echo calls from UN agencies and NGOs for more rigorous and timely analysis of the human rights risks that may be posed by new trading relationships.[5] Again, EU practice with what it terms ‘sustainability impact assessment’ of future trade agreements provides a potential model to draw from.[6] 

However, process is no substitute for action. Human rights impact assessment is never an end in itself; rather, it is a means to a positive end, in this case a trade agreement which is aligned with the trading partners’ respective human rights obligations and aspirations. It bears remembering, though, that the idea of assessing trade proposals for future human rights risks is a relatively recent one. Do we have the tools and resources to make sure that this is a meaningful compliance and risk management exercise?

Thus far there is little evidence that human rights impact assessment and stakeholder engagement exercises are having any real impact on the content of trade agreements.[7] This is the case even in the EU, where practice in these areas is the most advanced and systematic.[8]

There are several possible reasons for this. First, the methodological challenges are enormous. Aside from the crystal-ball gazing needed to forecast the social, economic and environmental effects of a trade intervention well into the future, demonstrating causal links between a trade agreement and a predicted adverse impact is often highly problematic given the number of other economic and political factors that may be in play.[9]

Secondly, there are many challenges around the need to engage with affected people and listen to their views.[10] The sheer number of possible impacts of a trade agreement on different individuals and communities, as well as the range of rights potentially engaged, makes this a difficult (some would say impossible) task. Some prioritization is always necessary.

This makes for difficult decisions about who to engage with and how. Perceived bias or an apparent lack of even-handedness – favouring business compared to civil society, for instance – can sow mistrust about the true aims of such a process, undermining its future effectiveness as participants begin to question whether it is genuine or worthwhile.[11]

The challenges are even more acute where impact assessment practitioners are tasked with investigating potential human rights impacts in other countries. Even if it is possible to get past the inevitable political sensitivities,[12] the sort of in-depth consultations required will be beyond the budget and time constraints of most assignments.[13]

There are good reasons why trade policy should be subject to greater public and parliamentary scrutiny, and why there should be more opportunities for public participation in the formation of new trading regimes. By building more opportunities for stakeholder consultation at these stages, we can acquire perspectives on trade that are not available from other forms of assessment and analysis.

However, policymakers should be wary of overstating the benefits of existing procedural models. Human rights impact assessment processes are still struggling to provide compelling analyses of the relationships between trade agreements and the enjoyment of human rights, let alone a roadmap for policymakers and trade negotiators as to what should be done.[14]

And financial and practical barriers to participation in stakeholder engagement exercises mean that, at best, these will provide only a partial picture of stakeholder impacts and views.

Experiences with human rights impact assessment of trade agreements so far demonstrate the need for realism about two things: first, the extent to which one can sensibly anticipate and analyse human rights-related risks and opportunities in the preparation stages for a new trading agreement; and, second, the extent to which problems identified in this way can be headed off with the right form of words in the treaty itself.

Both recent UK select committee reports place considerable faith in the ability of pre-project transparency and scrutiny processes to flush out potential problems and prescribe solutions. Of course, there may be cases where frontloading the analysis in this way could be useful, for instance where the human rights implications are so clear that they can readily be addressed through upfront commitments by the parties concerned, whether by bespoke or standardized approaches.

More often, though, for a trade agreement running many years into the future, human rights impacts and implications will take time to emerge, suggesting the need for robust monitoring and mitigation frameworks designed with longevity in mind. Ideally, pre-signing approval and assessment processes would lay the groundwork for future action by both trading partners, either jointly or separately (though preferably both).

To this end, as well as developing ideas for more robust substantive provisions on human rights, policymakers should consider the institutional arrangements required – whether pursuant to the trade agreement or by complementary processes – to ensure that human rights-related risks identified during the planning stages are properly and proactively followed up, that emerging risks are tackled in a timely fashion, and that there are opportunities for meaningful stakeholder contributions to these processes.

Notes

[1] UK Joint Committee on Human Rights (2019), ‘Human Rights Protections in International Agreements, Seventeenth Report of Session 2017–19’, HC 1833 HL paper 310, 12 March 2019, https://publications.parliament.uk/pa/jt201719/jtselect/jtrights/1833/1833.pdf; and House of Commons International Trade Committee (2018), ‘UK Trade Policy Transparency and Scrutiny, Sixth Report of Session 2017-2019’, HC 1043, 29 December 2018.

[2] European Parliament and Directorate General for External Policies (2019), Parliamentary scrutiny of trade policies across the western world, study paper, March 2019, http://www.europarl.europa.eu/RegData/etudes/STUD/2019/603477/EXPO_STU(2019)603477_EN.pdf.

[3] European Commission (2019), ‘Trade policy and you’, http://ec.europa.eu/trade/trade-policy-and-you/index_en.htm.

[4] See UK Joint Committee on Human Rights (2019), ‘Human Rights Protections in International Agreements’, para 12; and House of Commons International Trade Committee (2018), ‘UK Trade Policy Transparency and Scrutiny’, paras 124–34.

[5] OHCHR (2003), Report of the High Commissioner for Human Rights on Human Rights, Trade and Investment, 2 July 2003, E/CN.4/Sub.2/2003/9, Annex, at para 63; UN Economic and Social Council (2017), ‘General Comment No 24 (2017) of the Committee on Economic, Social and Cultural Rights on State obligations under the International Covenant on Economic, Social and Cultural Rights in the context of business activities’, UN Doc. E/C.12/GC/24, 10 August 2017, para 13; and UN General Assembly (2011), ‘Guiding principles on human rights impact assessment of trade and investment agreements’, Report of the Special Rapporteur on the Right to Food, Olivier De Schutter, UN Doc. A/HRC/19/59/Add.5, 19 December 2011.

[6] European Commission (2016), Handbook for Sustainability Impact Assessment (2nd ed.), Brussels: European Union, http://trade.ec.europa.eu/doclib/docs/2016/april/tradoc_154464.PDF.

[7] Zerk, J. (2019), Human Rights Impact Assessment of Trade Agreements, Chatham House Research Paper, London: Royal Institute of International Affairs, https://www.chathamhouse.org/publication/human-rights-impact-assessment-trade-agreements.

[8] Ibid., pp. 11–13. For a detailed explanation of the EU’s approach to human rights impact assessment, see European Commission (2016), Handbook for Sustainability Impact Assessment.

[9] Zerk (2019), Human Rights Impact Assessment of Trade Agreements, pp. 14–21.

[10] Ibid., pp. 21–22.

[11] Ergon Associates (2011), Trade and Labour: Making effective use of trade sustainability impact assessments and monitoring mechanisms, Final Report to DG Employment, Social Affairs and Inclusion European Commission, September 2011; and Gammage, C. (2010), ‘A Sustainability Impact Assessment of the Economic Partnership Agreements: Challenging the Participatory Process’, Law and Development Review, 3(1): pp. 107–34. For a civil society view, see Trade Justice Movement (undated), ‘Trade Justice Movement submission to the International Trade Committee inquiry into UK Trade Policy Transparency and Scrutiny’, https://www.tjm.org.uk/resources/briefings/tjm-submission-to-the-international-trade-committee-inquiry-into-uk-trade-policy-transparency-and-scrutiny, esp. paras 23–32.

[12] Zerk (2019), Human Rights Impact Assessment of Trade Agreements, pp. 20–21.

[13] Ibid., pp. 21–22.

[14] Ibid.

This essay was produced for the 2019 edition of Chatham House Expert Perspectives – our annual survey of risks and opportunities in global affairs – in which our researchers identify areas where the current sets of rules, institutions and mechanisms for peaceful international cooperation are falling short, and present ideas for reform and modernization.

Rapid technological change raises urgent questions around equity, transparency, privacy and security. 

We are looking at the human rights dividend from new technologies as well as how international human rights law standards, for example on freedom of thought, expression and privacy, guide the use of digital technology in the electoral context.

International law applies to cyber operations – but views differ on exactly how. Does state-sponsored interference in another state's affairs using cyber means – for example,  disinformation campaigns in elections, disabling government websites, or disrupting transport systems – breach international law? If so, on what basis and how are the principles of sovereignty and non-intervention relevant? States are increasingly attributing cyber operations to other states and engaging in the debate on how international law applies, including circumstances that would justify countermeasures.

As states meet to debate these issues at the UN, the panel will explore how international law regulates cyberoperations by states, consider the prospects of progress at the UN, and assess the value of other initiatives.

This event coincides with the launch of a Chatham House research paper which analyses how the principles of sovereignty and intervention apply in the context of cyberoperations, and considers a way forward for agreeing a common understanding of cyber norms.

This event will bring together a broad group of actors, including policymakers, the private sector, legal experts and civil society, and will be followed by a drinks reception.

Summary

• The vast majority of state-to-state cyberattacks consist of persistent, low-level intrusions that take place below the threshold of use of force. International law, including the principle of non-intervention in another state’s internal affairs and the principle of sovereignty, applies to these cyber operations.
• It is not clear whether any unauthorized cyber intrusion would violate the target state’s sovereignty, or whether there is a threshold in operation. While some would like to set limits by reference to effects of the cyber activity, at this time such limits are not reflected in customary international law. The assessment of whether sovereignty has been violated therefore has to be made on a case by case basis, if no other more specific rules of international law apply.
• In due course, further state practice and opinio iuris may give rise to an emerging cyber-specific understanding of sovereignty, just as specific rules deriving from the sovereignty principle have crystallized in other areas of international law.
• Before a principle of due diligence can be invoked in the cyber context, further work is needed by states to agree upon rules as to what might be expected of a state in this context.
• The principle of non-intervention applies to a state’s cyber operations as it does to other state activities. It consists of coercive behaviour by one state that deprives the target state of its free will in relation to the exercise of its sovereign functions in order to compel an outcome in, or conduct with respect to, a matter reserved to the target state.
• In practice, activities that contravene the non-intervention principle and activities that violates sovereignty will often overlap.
• In order to reach agreement on how international law applies to states’ cyber operations below the level of use of force, states should put their views on record, where possible giving examples of when they consider that an obligation may be breached, as states such as the UK, Australia, France and the Netherlands have done.
• Further discussion between states should focus on how the rules apply to practical examples of state-sponsored cyber operations. There is likely to be more commonality about specific applications of the law than there is about abstract principles.
• The prospects of a general treaty in this area are still far off. In due course, there may be benefit in considering limited rules, for example on due diligence and a prohibition on attacking critical infrastructure, before tackling broad principles.

In discussions to date about how international law applies in cyberspace, commentators have tended to focus their attention on how the rules on the use of force, or the law of armed conflict, apply to cyber activities conducted by states that give rise to physical damage, injury or death.

But in practice, the vast majority of state cyberattacks fall below this threshold. Far more common are persistent, low-level attacks that may leave no physical trace but that are capable of doing significant damage to a state’s ability to control its systems, often at serious economic cost.

Such cyber incursions might include network disruptions in the operation of another government’s websites; tampering with electoral infrastructure to change or undermine the result; or using cyber means to destabilize another state’s financial sector.

For these kinds of cyber operation, the principle of sovereignty, and the principle of non-intervention in another state’s internal affairs, are the starting point.

A UN Group of Government Experts (GGE) agreed in 2013 and 2015 that the principles in the UN Charter, including sovereignty and the prohibition on intervention in another state’s affairs, apply to states’ activities in cyberspace. The 2015 GGE also recommended eleven (non-binding) norms of responsible state behaviour in cyberspace.

However, states have not yet reached agreement on how to apply these principles. Until recently, there has also been very little knowledge of what states actually do in cyberspace, as they usually conduct cyber operations covertly and have been reluctant to put their views on record.

A new Chatham House research paper analyses the application of the principles of sovereignty and non-intervention to state cyberattacks that fall below the principle of use of force. As well as analysing the application of the law in this area, the paper also makes recommendations to governments on how they might best make progress in reaching agreement in this area.

Existing rules or new rules?

As the research paper makes clear, there is currently some debate, principally between countries in the West, about the extent to which sovereignty is a legally binding rule in the context of cyberspace and, if so, how it and the principle of non-intervention might apply in practice.

In the last few years, certain states have put on record how they consider international law to apply to states’ activities in cyberspace, namely the UK, Australia, France and the Netherlands. While there may be some differences in their approaches, which are discussed in the paper, there also remains important common ground: namely, that existing international law already provides a solid framework for regulating states’ cyber activities, as it regulates every other domain of state-to-state activity.

There is also an emerging trend for states to work together when attributing cyberattacks to hostile states, enabling them to call out malign cyber activity when it violates international law. (See, for example, the joint statements made in relation to the NotPetya cyber attack and malicious cyber activity attributed to the Russian government).

However, other countries have questioned whether existing international law as it stands is capable of regulating states’ cyber interactions and have called for ‘new legal instruments’ in this area.

This includes a proposal by the Shanghai Cooperation Organization (led by Russia and China) for an International Code of Conduct on Information Security, a draft of which was submitted to the UN in 2011 and 2015, without success. The UN has also formed a new Open-Ended Working Group (OEWG) under a resolution proposed by Russia to consider how international law applies to states’ activities in cyberspace.

The resolution establishing the OEWG, which began work earlier this year, includes the possibility of the group ‘introducing changes to the rules, norms and principles of responsible behaviour of States’ agreed in the 2013 and 2015 GGE reports. In the OEWG discussions at the UN in September, several countries claimed that a new legal instrument was needed to fill the ‘legal vacuum’ (Cuba) or ‘the gap of ungoverned areas’ (Indonesia).

It would be concerning if the hard-won consensus on the application of international law to cyberspace that has been reached at past GGEs started to unravel. In contrast to 2013 and 2015, the 2017 meeting failed to reach an agreement.

On 9 December, a renewed GGE will meet in New York, but the existence of the OEWG exploring the same issues in a separate process reflects the fact that cyber norms have become an area of geopolitical rivalry.

Aside from the application of international law, states are also adopting divergent approaches to the domestic regulation of cyberspace within their own territory. The emerging trend towards a ‘splinternet’ – i.e. between states that believe the internet should be global and open on the hand, and those that favour a ‘sovereignty and control’ model on the other  – is also likely to make discussions at the GGE more challenging.

Distinct from the international law concept of sovereignty is the notion of ‘cybersovereignty’, a term coined by China to describe the wide-ranging powers it assumes under domestic law to regulate its citizens’ access to the internet and personal data within its territory. This approach is catching on (as reflected in Russia’s recently enacted ‘Sovereign Internet Law’), with other authoritarian states likely to follow suit.

The importance of non-state actors

In parallel with regional and UN discussions on how international law applies, a number of initiatives by non-state actors have also sought to establish voluntary principles about responsible state behaviour in cyberspace.

The Global Commission on the Stability of Cyberspace, a multi-stakeholder body that has proposed principles, norms and recommendations to guide responsible behaviour by all parties in cyberspace, recently published its final report. The Cybersecurity Tech Accord  aims to promote collaboration between tech companies on stability and resilience in cyberspace. President Macron’s ‘Paris Call for Trust and Security in Cyberspace’ has to date received the backing of 67 states, 139 international and civil society organizations, and 358 private-sector organizations.

It remains to be seen in the long term whether the parallel processes at the UN will work constructively together or be competitive. But notwithstanding the challenging geopolitical backdrop, the UN GGE meeting next week at the least offers states the opportunity to consolidate and build on the results of past meetings; to increase knowledge and discussion about how international law might apply; and to encourage more states to put their own views of these issues on the record.

This workshop is the second in a series in the 'Implementing the Commonwealth Cybersecurity Agenda' project. The workshop aims to provide a multi-stakeholder pan-Commonwealth platform to discuss how to take the implementation of the 'Commonwealth Cyber Declaration' forward with a focus on the second pillar of the declaration – building the foundations of an effective national cybersecurity response with eight action points. 

As such, the workshop gathers different project implementers under the UK Foreign and Commonwealth Office’s Cyber Programme, in addition to other key relevant stakeholders from the global level, to explore ongoing initiatives which aim to deliver one or more of pillar two’s action points.

The workshop addresses issues from a global perspective and a Commonwealth perspective and will include presentations from selected partners from different Commonwealth countries.

• Civil nuclear facilities and organizations hold sensitive information on security clearances, national security, health and safety, nuclear regulatory issues and international inspection obligations. The sensitivity and variety of such data mean that products tailored for insuring the civil nuclear industry have evolved independently and are likely to continue to do so.
• ‘Air-gaps’ – measures designed to isolate computer systems from the internet – need to be continually maintained for industrial systems. Yet years of evidence indicate that proper maintenance of such protections is often lacking (mainly because very real economic drivers exist that push users towards keeping infrastructure connected). Indeed, even when air-gaps are maintained, security breaches can still occur.
• Even if a particular organization has staff that are highly trained, ready and capable of handling a technological accident, hacking attack or incidence of insider sabotage, it still has to do business and/or communicate with other organizations that may not have the essentials of cybersecurity in place.
• Regardless of whether the choice is made to buy external insurance or put aside revenues in preparation for costly incidents, the approach to cyber risk calculation should be the same. Prevention is one part of the equation, but an organization will also need to consider the resources and contingency measures available to it should prevention strategies fail. Can it balance the likelihood of a hacker’s success against the maximum cost to the organization, and put aside enough capital and manpower to get it through a crisis?
• All civil nuclear facilities should consider the establishment of computer security incident response (CSIR) teams as a relevant concern, if such arrangements are not already in place. The existence of a CSIR team will be a prerequisite for any facility seeking to obtain civil nuclear cyber insurance.
• Preventing attacks such as those involving phishing and ransomware requires good cyber hygiene practices throughout the workforce. Reducing an organization’s ‘time to recovery’ takes training and dedication. Practising the necessary tasks in crisis simulations greatly reduces the likelihood of friction and the potential for error in a crisis.

In recent years, cybercrime has evolved from a niche technological concern into a prominent global issue with substantial preventative and remedial costs for businesses and governments alike. Despite heavy investment in sophisticated cybersecurity measures and the adoption of several legal, organizational and capacity-building measures, cybercrime remains a major threat which is evolving on a daily basis. Today’s cybercrime is more aggressive, more complex, more organized and – importantly – more unpredictable than ever before.

The challenges posed by cybercrime are experienced acutely by countries undergoing digital transformations: as the level of connectivity rises, so too does the potential for online theft, fraud and abuse. Cybercrime is pervasive but governments can work to limit its impact by creating a resilient overall economy and robust institution, and appropriately equipping law enforcement and the justice system to navigate its novel challenges.

To advance the discourse surrounding these issues, this workshop will assess the current cyber threat landscape and how it is evolving. It will identify the main obstacles encountered by law enforcement, the judiciary and prosecutors in their fight against cybercrime. It will also compare national, regional and global approaches that countries can use to effectively curb cybercrime and tackle its emerging challenges.

Summary

• All satellites depend on cyber technology including software, hardware and other digital components. Any threat to a satellite’s control system or available bandwidth poses a direct challenge to national critical assets.
• NATO’s missions and operations are conducted in the air, land, cyber and maritime domains. Space-based architecture is fundamental to the provision of data and services in each of these contexts. The critical dependency on space has resulted in new cyber risks that disproportionately affect mission assurance. Investing in mitigation measures and in the resilience of space systems for the military is key to achieving protection in all domains.
• Almost all modern military engagements rely on space-based assets. During the US-led invasion of Iraq in 2003, 68 per cent of US munitions were guided utilizing space-based means (including laser-, infrared- and satellite-guided munitions); up sharply from 10 per cent in 1990–91, during the first Gulf war. In 2001, 60 per cent of the weapons used by the US in Afghanistan were precision-guided munitions, many of which had the capability to use information provided by space-based assets to correct their own positioning to hit a target.
• NATO does not own satellites. It owns and operates a few terrestrial elements, such as satellite communications anchor stations and terminals. It requests access to products and services – such as space weather reports and satellite overflight reports provided via satellite reconnaissance advance notice systems – but does not have direct access to satellites: it is up to individual NATO member states to determine whether they allow access.
• Cyber vulnerabilities undermine confidence in the performance of strategic systems. As a result, rising uncertainty in information and analysis continues to impact the credibility of deterrence and strategic stability. Loss of trust in technology also has implications for determining the source of a malicious attack (attribution), strategic calculus in crisis decision-making and may increase the risk of misperception.

After President Trump decided to halt a missile attack on Iran in response to the downing of a US drone, it was revealed that the US had conducted cyberattacks on Iranian weapons systems to prevent Iran launching missiles against US assets in the region.

This ‘left-of-launch’ strategy – the pre-emptive action to prevent an adversary launch missiles – has been part of the US missile defence strategy for some time now. President George W Bush asked the US military and intelligence community to infiltrate the supply chain of North Korean missiles. It was claimed that the US hacked the North Korean ballistic missile programme, causing a failed ballistic missile test, in 2012.

It was not clear then – or now – whether these ‘left-of-launch’ cyberattacks aimed at North Korea were successful as described or whether they were primarily a bluff. But that is somewhat irrelevant; the belief in the possibility and the understanding of the potential impact of such cyber capabilities undermines North Korean or Iranian confidence in their abilities to launch their missiles. In times of conflict, loss of confidence in weapons systems may lead to escalation.

In other words, the adversary may be left with no option but to take the chance to use these missiles or to lose them in a conflict setting. ‘Left of launch’ is a dangerous game. If it is based on a bluff, it could be called upon and lead to deterrence failure. If it is based on real action, then it could create an asymmetrical power struggle. If the attacker establishes false confidence in the power of a cyber weapon, then it might lead to false signalling and messaging.

This is the new normal. The cat-and-mouse game has to be taken seriously, not least because missile systems are so vulnerable.

There are several ways an offensive cyber operation against missile systems might work. These include exploiting missile designs, altering software or hardware, or creating clandestine pathways to the missile command and control systems.

They can also be attacked in space, targeting space assets and their link to strategic systems.

Most missile systems rely, at least in part, on digital information that comes from or via space-based or space-dependent assets such as: communication satellites; satellites that provide position, navigation and timing (PNT) information (for example GPS or Galileo); weather satellites to help predict flight paths, accurate targeting and launch conditions; and remote imagery satellites to assist with information and intelligence for the planning and targeting.

Missile launches themselves depend on 1) the command and control systems of the missiles, 2) the way in which information is transmitted to the missile launch facilities and 3) the way in which information is transmitted to the missiles themselves in flight. All these aspects rely on space technology.

In addition, the ground stations that transmit and receive data to and from satellites are also vulnerable to cyberattack – either through their known and unknown internet connectivity or through malicious use of flash drives that contain a deliberate cyber infection.

Non-space-based communications systems that use cable and ground-to-air-to-ground masts are likewise under threat from cyberattacks that find their way in via internet connectivity, proximity interference or memory sticks. Human error in introducing connectivity via phones, laptops and external drives, and in clicking on malicious links in sophisticated phishing lures, is common in facilitating inadvertent connectivity and malware infection.

All of these can create a military capacity able to interfere with missile launches. Malware might have been sitting on the missile command and control system for months or even years, remaining inactivated until a chosen time or by a trigger that sets in motion a disruption either to the launch or to the flight path of the missile. The country that launches the missile that either fails to launch or fails to reach the target may never know if this was the result of a design flaw, a common malfunction or a deliberate cyberattack.

States with these capabilities must exercise caution: cyber offence manoeuvres may prevent the launch of missile attacks against US assets in the Middle East or in the Pacific regions, but they may also interfere with US missile launches in the future. Even, as has recently been revealed, US cyber weapons targeting an adversary may blow back and inadvertently infect US systems. Nobody is invulnerable.

Summary

• The application of ‘security by design’ in nuclear new builds could provide operators with the opportunity to establish a robust and resilient security architecture at the beginning of a nuclear power plant’s life cycle. This will enhance the protection of the plant and reduce the need for costly security improvements during its operating life.
• Security by design cannot fully protect a nuclear power plant from rapidly evolving cyberattacks, which expose previously unsuspected or unknown vulnerabilities.
• Careful design of security systems and architecture can – and should – achieve levels of protection that exceed current norms and expectations. However, the sourcing of components from a global supply chain means that the integrity of even the most skilfully designed security regime cannot be guaranteed without exhaustive checks of its components.
• Security by design may well include a requirement for a technical support organization to conduct quality assurance of cyber defences and practices, and this regime should be endorsed by a facility’s executive board and continued at regular intervals after the new build facility has been commissioned.
• Given the years it takes to design, plan and build a new nuclear power plant, it is important to recognize that from the point of ‘design freeze’ onwards, the operator will be building in vulnerabilities, as technology continues to evolve rapidly while construction fails to keep pace with it. Security by design cannot be a panacea, but it is an important factor in the establishment of a robust nuclear security – and cybersecurity – culture.

This roundtable is part of a series under the project, 'Implementing the Commonwealth Cybersecurity Agenda', funded by the UK Foreign and Commonwealth Office (FCO). The roundtable aims to provide a multi-stakeholder, pan-Commonwealth platform to discuss how to implement the Commonwealth Cyber Declaration with a focus on its third pillar 'To promote stability in cyberspace through international cooperation'.

In particular, the roundtable focuses on points 3 and 4 of the third pillar which revolve around the commitment to promote frameworks for stability in cyberspace including the applicability of international law, agreed voluntary norms of responsible state behaviour and the development and implementation of confidence-building measures consistent with the 2015 report of the UNGGE. 

The workshop also focuses on the commitment to advance discussions on how existing international law, including the Charter of the United Nations and applicable international humanitarian law, applies in cyberspace.

The roundtable addresses the issue of global cyber governance from a Commonwealth perspective and will also include a discussion around the way forward, the needed capacity of the different Commonwealth countries and the cooperation between its members for better cyber governance.

Participants include UNGGE members from Commonwealth countries in addition to representatives to the UN Open-Ended Working Group from African countries as well as members from academia, civil society and industry.

Strategic systems that depend on space-based assets, such as command, control and communication, early warning systems, weapons systems and weapons platforms, are essential for conducting successful NATO operations and missions. Given the increasing dependency on such systems, the alliance and key member states would therefore benefit from an in-depth analysis of possible mitigation and resilience measures.

This workshop is part of the International Security Department’s (ISD) project on space security and the vulnerability of strategic assets to cyberattacks, which includes a recently published report. This project aims to create resilience in NATO and key NATO member states, building the capacity of key policymakers and stakeholders to respond with effective policies and procedures. This workshop will focus on measures to mitigate the cyber vulnerabilities of NATO’s space-dependent strategic assets. Moreover, participants will discuss the type of resilience measures and mechanisms required.

Attendance at this event is by invitation only. 

In April 2018, the Commonwealth Heads of Government Meeting (CHOGM), held in London, saw the creation and the adoption of the Commonwealth Cyber Declaration. The declaration outlines the framework for a concerted effort to advance cybersecurity practices to promote a safe and prosperous cyberspace for Commonwealth citizens, businesses and societies. 

The conference will aim to provide an overview on the progress made on cybersecurity in the Commonwealth since the declaration was announced in 2018. In addition, it will examine future challenges and potential solutions going forward.

This conference is part of the International Security Programme's project on Implementing the Commonwealth Cybersecurity Agenda and will convene a range of senior Commonwealth representatives as well as a selection of civil society and industry stakeholders. This project aims to develop a pan-Commonwealth platform to take the Commonwealth Cyber Declaration forward by means of a holistic, inclusive and representative approach.

Please see below meeting summaries from previous events on Cybersecurity in the Commonwealth:  

• A cyberspace that supports economic and social rights online (London)
• Build the foundations of an effective national cybersecurity response (Barbados)
• Promote stability in cyberspace through international cooperation (Addis Ababa)

Attendance at this event is by invitation only. 

The GCC states have invested significantly in cybersecurity and have made large strides in protecting governments, businesses and individuals from cyber threats, with the aim of delivering on their ambitious national strategies and future visions. However, several challenges to cybersecurity and cyber resilience in the region persist, putting those ambitious plans at risk.

These challenges include the uneven nature of cybersecurity protections, the incomplete implementation of cybersecurity strategies and regulations, and the issues around international cooperation. Such challenges mean that GCC states need to focus on the more difficult task of cyber resilience, in addition to the simpler initial stages of cybersecurity capacity-building, to ensure they harness the true potential of digital technologies and mitigate associated threats.

Set against this background, this workshop will explore opportunities and challenges to cyber resilience in the GCC focusing on four main pillars:

1. Cyber resilience: in concept and in practice
2. Building an effective cybersecurity capacity
3. The potential of regional and international cooperation to cyber resilience
4. Deterrence and disruption: different approaches

This event will be held in collaboration with the Arab Regional Cybersecurity Centre (ARCC) and OMAN CERT.

PLEASE NOTE THIS EVENT IS POSTPONED UNTIL FURTHER NOTICE. 

Cyber security is a vital part of the national and international strategic infrastructure and weapons systems. The increasing cyber capabilities of countries such as China, Russia and North Korea put the North Atlantic Treaty Organization’s (NATO’s) nuclear systems - capabilities that include nuclear command, control and communication, weapons systems and early warning systems - in danger.

There is an urgent need to study and address cyber challenges to nuclear assets within NATO and in key NATO countries. Greater awareness of the potential threats and vulnerabilities is key to improving preparedness and mitigating the risks of a cyber-attack on NATO nuclear weapons systems.

Chatham House produces research responding to the need for information on enhancing cybersecurity for command, control and communications. This project constitutes the beginning of the second phase of the Cyber Security of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences, a report published in January 2018 in partnership with the Stanley Foundation.

The project responds to the need both for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy within NATO member states and the Nuclear Planning Group.

This project is supported by the Ploughshares Fund and the Stanley Foundation.

Summary

• GCC states seek to be leaders in digital innovation, but this leaves them vulnerable to an increasing range of cyberthreats. Governments have invested significantly in cybersecurity but these measures have been unevenly implemented, makingit difficult for these states to be resilient against a large-scale cyber incident.
• Strategies, structures and processes (‘approaches’) for achieving cyber resilience can be conceptualized along a scale from centralized to distributed: centralized approaches maintain decision-making power in a single body, while distributed ones disperse power over many sites.
• Centralized approaches provide more resilience against unwanted influence, while distributed approaches provide more resilience against intrusions into infrastructure. The GCC states have so far prioritized centralized over distributed cyber resilience, seeking internet and social media control over sustainable network recovery.
• GCC governments should make a sustainable commitment to cyber resilience that provides clear guidance to organizations and makes best use of emerging cybersecurity structures. This may involve further engagement with international initiatives and partners to increase cyber resilience.
• Given limited resources, GCC governments should rebalance their efforts from centralized towards distributed approaches to resilience.
• GCC governments should examine the impact of relevant new technologies, discussing openly the risks of these technologies and appropriate solutions.

Complex systems models have played a significant role in informing and shaping the public health measures adopted by governments in the context of the COVID-19 pandemic. For instance, modelling carried out by a team at Imperial College London is widely reported to have driven the approach in the UK from a strategy of mitigation to one of suppression.

Complex systems modelling will increasingly feed into policymaking by predicting a range of potential correlations, results and outcomes based on a set of parameters, assumptions, data and pre-defined interactions. It is already instrumental in developing risk mitigation and resilience measures to address and prepare for existential crises such as pandemics, prospects of a nuclear war, as well as climate change.

The human factor

In the end, model-driven approaches must stand up to the test of real-life data. Modelling for policymaking must take into account a number of caveats and limitations. Models are developed to help answer specific questions, and their predictions will depend on the hypotheses and definitions set by the modellers, which are subject to their individual and collective biases and assumptions. For instance, the models developed by Imperial College came with the caveated assumption that a policy of social distancing for people over 70 will have a 75 per cent compliance rate. This assumption is based on the modellers’ own perceptions of demographics and society, and may not reflect all societal factors that could impact this compliance rate in real life, such as gender, age, ethnicity, genetic diversity, economic stability, as well as access to food, supplies and healthcare. This is why modelling benefits from a cognitively diverse team who bring a wide range of knowledge and understanding to the early creation of a model.

The potential of artificial intelligence

Machine learning, or artificial intelligence (AI), has the potential to advance the capacity and accuracy of modelling techniques by identifying new patterns and interactions, and overcoming some of the limitations resulting from human assumptions and bias. Yet, increasing reliance on these techniques raises the issue of explainability. Policymakers need to be fully aware and understand the model, assumptions and input data behind any predictions and must be able to communicate this aspect of modelling in order to uphold democratic accountability and transparency in public decision-making.

In addition, models using machine learning techniques require extensive amounts of data, which must also be of high quality and as free from bias as possible to ensure accuracy and address the issues at stake. Although technology may be used in the process (i.e. automated extraction and processing of information with big data), data is ultimately created, collected, aggregated and analysed by and for human users. Datasets will reflect the individual and collective biases and assumptions of those creating, collecting, processing and analysing this data. Algorithmic bias is inevitable, and it is essential that policy- and decision-makers are fully aware of how reliable the systems are, as well as their potential social implications.

The age of distrust

Increasing use of emerging technologies for data- and evidence-based policymaking is taking place, paradoxically, in an era of growing mistrust towards expertise and experts, as infamously surmised by Michael Gove. Policymakers and subject-matter experts have faced increased public scrutiny of their findings and the resultant policies that they have been used to justify.

This distrust and scepticism within public discourse has only been fuelled by an ever-increasing availability of diffuse sources of information, not all of which are verifiable and robust. This has caused tension between experts, policymakers and public, which has led to conflicts and uncertainty over what data and predictions can be trusted, and to what degree. This dynamic is exacerbated when considering that certain individuals may purposefully misappropriate, or simply misinterpret, data to support their argument or policies. Politicians are presently considered the least trusted professionals by the UK public, highlighting the importance of better and more effective communication between the scientific community, policymakers and the populations affected by policy decisions.

Acknowledging limitations

While measures can and should be built in to improve the transparency and robustness of scientific models in order to counteract these common criticisms, it is important to acknowledge that there are limitations to the steps that can be taken. This is particularly the case when dealing with predictions of future events, which inherently involve degrees of uncertainty that cannot be fully accounted for by human or machine. As a result, if not carefully considered and communicated, the increased use of complex modelling in policymaking holds the potential to undermine and obfuscate the policymaking process, which may contribute towards significant mistakes being made, increased uncertainty, lack of trust in the models and in the political process and further disaffection of citizens.

The potential contribution of complexity modelling to the work of policymakers is undeniable. However, it is imperative to appreciate the inner workings and limitations of these models, such as the biases that underpin their functioning and the uncertainties that they will not be fully capable of accounting for, in spite of their immense power. They must be tested against the data, again and again, as new information becomes available or there is a risk of scientific models becoming embroiled in partisan politicization and potentially weaponized for political purposes. It is therefore important not to consider these models as oracles, but instead as one of many contributions to the process of policymaking.

The World Health Organization, US Department of Health and Human Services, and hospitals in Spain, France and the Czech Republic have all suffered cyberattacks during the ongoing COVID-19 crisis.

In the Czech Republic, a successful attack targeted a hospital with one of the country’s biggest COVID-19 testing laboratories, forcing its entire IT network to shut down, urgent surgical operations to be rescheduled, and patients to be moved to nearby hospitals. The attack also delayed dozens of COVID-19 test results and affected the hospital’s data transfer and storage, affecting the healthcare the hospital could provide.

In the UK, the National Health Service (NHS) is already in crisis mode, focused on providing beds and ventilators to respond to one of the largest peacetime threats ever faced. But supporting the health sector goes beyond increasing human resources and equipment capacity.

Health services ill-prepared

Cybersecurity support, both at organizational and individual level, is critical so health professionals can carry on saving lives, safely and securely. Yet this support is currently missing and the health services may be ill-prepared to deal with the aftermath of potential cyberattacks.

When the NHS was hit by the Wannacry ransomware attack in 2017 - one of the largest cyberattacks the UK has witnessed to date – it caused massive disruption, with at least 80 of the 236 trusts across England affected and thousands of appointments and operations cancelled. Fortunately, a ‘kill-switch’ activated by a cybersecurity researcher quickly brought it to a halt.

But the UK’s National Cyber Security Centre (NCSC), has been warning for some time against a cyber attack targeting national critical infrastructure sectors, including the health sector. A similar attack, known as category one (C1) attack, could cripple the UK with devastating consequences. It could happen and we should be prepared.

Although the NHS has taken measures since Wannacry to improve cybersecurity, its enormous IT networks, legacy equipment and the overlap between the operational and information technology (OT/IT) does mean mitigating current potential threats are beyond its ability.

And the threats have radically increased. More NHS staff with access to critical systems and patient health records are increasingly working remotely. The NHS has also extended its physical presence with new premises, such as the Nightingale hospital, potentially the largest temporary hospital in the world.

Radical change frequently means proper cybersecurity protocols are not put in place. Even existing cybersecurity processes had to be side-stepped because of the outbreak, such as the decision by NHS Digital to delay its annual cybersecurity audit until September. During this audit, health and care organizations submit data security and protection toolkits to regulators setting out their cybersecurity and cyber resilience levels.

The decision to delay was made to allow the NHS organizations to focus capacity on responding to COVID-19, but cybersecurity was highlighted as a high risk, and the importance of NHS and Social Care remaining resilient to cyberattacks was stressed.

The NHS is stretched to breaking point. Expecting it to be on top of its cybersecurity during these exceptionally challenging times is unrealistic, and could actually add to the existing risk.

Now is the time where new partnerships and support models should be emerging to support the NHS and help build its resilience. Now is the time where innovative public-private partnerships on cybersecurity should be formed.

Similar to the economic package from the UK chancellor and innovative thinking on ventilator production, the government should oversee a scheme calling on the large cybersecurity capacity within the private sector to step in and assist the NHS. This support can be delivered in many different ways, but it must be mobilized swiftly.

The NCSC for instance has led the formation of the Cyber Security Information Sharing Partnership (CiSP)— a joint industry and UK government initiative to exchange cyber threat information confidentially in real time with the aim of reducing the impact of cyberattacks on UK businesses.

CiSP comprises organizations vetted by NCSC which go through a membership process before being able to join. These members could conduct cybersecurity assessment and penetration testing for NHS organizations, retrospectively assisting in implementing key security controls which may have been overlooked.

They can also help by making sure NHS remote access systems are fully patched and advising on sensible security systems and approved solutions. They can identify critical OT and legacy systems and advise on their security.

The NCSC should continue working with the NHS to enhance provision of public comprehensive guidance on cyber defence and response to potential attack. This would show they are on top of the situation, projecting confidence and reassurance.

It is often said in every crisis lies an opportunity. This is an opportunity for the UK government to show agility in how it deals with cyber threats and how it cooperates with the private sector in creating cyber resilience.

It is an opportunity to lead a much-needed cultural change showing cybersecurity should never be an afterthought.

Despite face-to-face diplomatic meetings being increasingly rare during the current disruption, COVID-19 will ultimately force a redefinition of national security and defence spending priorities, and this could provide the possibility of an improved political climate at RevCon when it happens in 2021.

With US presidential elections due in November and a gradual engagement growing between the EU and Iran, there could be a new context for more cooperation between states by 2021. Two key areas of focus over the coming months will be the arms control talks between the United States and Russia, and Iran’s compliance with the 2015 Joint Comprehensive Plan of Action (JCPOA), also known as the Iran Nuclear Deal.

It is too early to discern the medium- and longer-term consequences of COVID-19 for defence ministries, but a greater focus on societal resilience and reinvigorating economic productivity will likely undercut the rationale for expensive nuclear modernization.

Therefore, extending the current New START (Strategic Arms Reduction Treaty) would be the best, most practical option to give both Russia and the United States time to explore more ambitious multilateral arms control measures, while allowing their current focus to remain on the pandemic and economic relief.

Continuing distrust

But with the current treaty — which limits nuclear warheads, missiles, bombers, and launchers — due to expire in February 2021, the continuing distrust between the United States and Russia makes this extension hard to achieve, and a follow-on treaty even less likely.

Prospects for future bilateral negotiations are hindered by President Donald Trump’s vision for a trilateral arms control initiative involving both China and Russia. But China opposes this on the grounds that its nuclear arsenal is far smaller than that of the two others.

While there appears to be agreement that the nuclear arsenals of China, France, and the UK (the NPT nuclear-weapons states) and those of the states outside the treaty (India, Pakistan, North Korea, and Israel) will all have to be taken into account going forward, a practical mechanism for doing so proves elusive.

If Joe Biden wins the US presidency he seems likely to pursue an extension of the New START treaty and could also prevent a withdrawal from the Open Skies treaty, the latest arms control agreement targeted by the Trump administration.

Under a Biden administration, the United States would also probably re-join the JCPOA, provided Tehran returned to strict compliance with the deal. Biden could even use the team that negotiated the Iran deal to advance the goal of denuclearization of the Korean peninsula.

For an NPT regime already confronted by a series of longstanding divergences, it is essential that Iran remains a signatory especially as tensions between Iran and the United States have escalated recently — due to the Qassim Suleimani assassination and the recent claim by Iran’s Revolutionary Guard Corps to have successfully placed the country’s first military satellite into orbit.

This announcement raised red flags among experts about whether Iran is developing intercontinental ballistic missiles due to the dual-use nature of space technology. The satellite launch — deeply troubling for Iran’s neighbours and the EU countries — may strengthen the US argument that it is a cover for the development of ballistic missiles capable of delivering nuclear weapons.

However, as with many other countries, Iran is struggling with a severe coronavirus crisis and will be pouring its scientific expertise and funds into that rather than other efforts — including the nuclear programme.

Those European countries supporting the trading mechanism INSTEX (Instrument in Support of Trade Exchanges) for sending humanitarian goods into Iran could use this crisis to encourage Iran to remain in compliance with the JCPOA and its NPT obligations.

France, Germany and the UK (the E3) have already successfully concluded the first transaction, which was to facilitate the export of medical goods from Europe to Iran. But the recent Iranian escalatory steps will most certainly place a strain on the preservation of this arrangement.

COVID-19 might have delayed Iran’s next breach of the 2015 nuclear agreement but Tehran will inevitably seek to strengthen its hand before any potential negotiations with the United States after the presidential elections.

As frosty US-Iranian relations — exacerbated by the coronavirus pandemic — prevent diplomatic negotiations, this constructive engagement between the E3 and Iran might prove instrumental in reviving the JCPOA and ensuring Iran stays committed to both nuclear non-proliferation and disarmament.

While countries focus their efforts on tackling the coronavirus pandemic, it is understandable resources may be limited for other global challenges, such as the increasing risk of nuclear weapons use across several regions.

But the potential ramifications of the COVID-19 crisis for the NPT regime are profound. Ongoing tensions between the nuclear-armed states must not be ignored while the world’s focus is elsewhere, and the nuclear community should continue to work together to progress nuclear non-proliferation and disarmament, building bridges of cooperation and trust that can long outlast the pandemic.

Summary

• GCC states seek to be leaders in digital innovation, but this leaves them vulnerable to an increasing range of cyberthreats. Governments have invested significantly in cybersecurity but these measures have been unevenly implemented, makingit difficult for these states to be resilient against a large-scale cyber incident.
• Strategies, structures and processes (‘approaches’) for achieving cyber resilience can be conceptualized along a scale from centralized to distributed: centralized approaches maintain decision-making power in a single body, while distributed ones disperse power over many sites.
• Centralized approaches provide more resilience against unwanted influence, while distributed approaches provide more resilience against intrusions into infrastructure. The GCC states have so far prioritized centralized over distributed cyber resilience, seeking internet and social media control over sustainable network recovery.
• GCC governments should make a sustainable commitment to cyber resilience that provides clear guidance to organizations and makes best use of emerging cybersecurity structures. This may involve further engagement with international initiatives and partners to increase cyber resilience.
• Given limited resources, GCC governments should rebalance their efforts from centralized towards distributed approaches to resilience.
• GCC governments should examine the impact of relevant new technologies, discussing openly the risks of these technologies and appropriate solutions.

Despite face-to-face diplomatic meetings being increasingly rare during the current disruption, COVID-19 will ultimately force a redefinition of national security and defence spending priorities, and this could provide the possibility of an improved political climate at RevCon when it happens in 2021.

With US presidential elections due in November and a gradual engagement growing between the EU and Iran, there could be a new context for more cooperation between states by 2021. Two key areas of focus over the coming months will be the arms control talks between the United States and Russia, and Iran’s compliance with the 2015 Joint Comprehensive Plan of Action (JCPOA), also known as the Iran Nuclear Deal.

It is too early to discern the medium- and longer-term consequences of COVID-19 for defence ministries, but a greater focus on societal resilience and reinvigorating economic productivity will likely undercut the rationale for expensive nuclear modernization.

Therefore, extending the current New START (Strategic Arms Reduction Treaty) would be the best, most practical option to give both Russia and the United States time to explore more ambitious multilateral arms control measures, while allowing their current focus to remain on the pandemic and economic relief.

Continuing distrust

But with the current treaty — which limits nuclear warheads, missiles, bombers, and launchers — due to expire in February 2021, the continuing distrust between the United States and Russia makes this extension hard to achieve, and a follow-on treaty even less likely.

Prospects for future bilateral negotiations are hindered by President Donald Trump’s vision for a trilateral arms control initiative involving both China and Russia. But China opposes this on the grounds that its nuclear arsenal is far smaller than that of the two others.

While there appears to be agreement that the nuclear arsenals of China, France, and the UK (the NPT nuclear-weapons states) and those of the states outside the treaty (India, Pakistan, North Korea, and Israel) will all have to be taken into account going forward, a practical mechanism for doing so proves elusive.

If Joe Biden wins the US presidency he seems likely to pursue an extension of the New START treaty and could also prevent a withdrawal from the Open Skies treaty, the latest arms control agreement targeted by the Trump administration.

Under a Biden administration, the United States would also probably re-join the JCPOA, provided Tehran returned to strict compliance with the deal. Biden could even use the team that negotiated the Iran deal to advance the goal of denuclearization of the Korean peninsula.

For an NPT regime already confronted by a series of longstanding divergences, it is essential that Iran remains a signatory especially as tensions between Iran and the United States have escalated recently — due to the Qassim Suleimani assassination and the recent claim by Iran’s Revolutionary Guard Corps to have successfully placed the country’s first military satellite into orbit.

This announcement raised red flags among experts about whether Iran is developing intercontinental ballistic missiles due to the dual-use nature of space technology. The satellite launch — deeply troubling for Iran’s neighbours and the EU countries — may strengthen the US argument that it is a cover for the development of ballistic missiles capable of delivering nuclear weapons.

However, as with many other countries, Iran is struggling with a severe coronavirus crisis and will be pouring its scientific expertise and funds into that rather than other efforts — including the nuclear programme.

Those European countries supporting the trading mechanism INSTEX (Instrument in Support of Trade Exchanges) for sending humanitarian goods into Iran could use this crisis to encourage Iran to remain in compliance with the JCPOA and its NPT obligations.

France, Germany and the UK (the E3) have already successfully concluded the first transaction, which was to facilitate the export of medical goods from Europe to Iran. But the recent Iranian escalatory steps will most certainly place a strain on the preservation of this arrangement.

COVID-19 might have delayed Iran’s next breach of the 2015 nuclear agreement but Tehran will inevitably seek to strengthen its hand before any potential negotiations with the United States after the presidential elections.

As frosty US-Iranian relations — exacerbated by the coronavirus pandemic — prevent diplomatic negotiations, this constructive engagement between the E3 and Iran might prove instrumental in reviving the JCPOA and ensuring Iran stays committed to both nuclear non-proliferation and disarmament.

While countries focus their efforts on tackling the coronavirus pandemic, it is understandable resources may be limited for other global challenges, such as the increasing risk of nuclear weapons use across several regions.

But the potential ramifications of the COVID-19 crisis for the NPT regime are profound. Ongoing tensions between the nuclear-armed states must not be ignored while the world’s focus is elsewhere, and the nuclear community should continue to work together to progress nuclear non-proliferation and disarmament, building bridges of cooperation and trust that can long outlast the pandemic.