How the War in Ukraine is Impacting the Prospects for Cyber Peace

Volumes will be written about the many impacts of Russia’s invasion of Ukraine, but one under appreciated area in which the implications of the war are playing out is on the future of cybersecurity norm building, and more broadly the drive for cyber peace. In April 2022, for example, Microsoft released a report detailing the multi-faceted cyber campaign being orchestrated by the Kremlin. In all, investigators were able to document 237 cyber operations, including a number of cyber attacks targeting civilians and civilian infrastructure, mirroring the indiscriminate kinetic attacks from Russian military forces. Indeed, some forty percent of the total observed attacks were targeting Ukrainian critical infrastructure, often in close coordination with kinetic attacks including broadcasters.

Thus, rather than being ‘all quiet on the digital front’ as many commentators had been arguing given the relative paucity of cyber attacks compared to the Russian government’s cyber capabilities and demonstrated willingness to use them, cyber attacks appear to be an increasingly important aspect of the ongoing war. So far, though, Ukraine in close partnership with NATO and leading vendors has been able to safeguard Ukrainian systems from many of the most damaging attacks. Similarly, defenders – along with the U.S. intelligence community - has been more successful than past operations in actively countering Russian disinformation and misinformation. In many ways, Ukraine has been at war since 2014 when Russia annexed the Crimean peninsula and began the clandestine invasion of Eastern Ukraine. It is also no stranger to cyber attacks, having been a regular target and testing bed for both Russian cyber and information warfare for years.

In a world beset by pervasive cyber insecurity along with an active shooting war in Ukraine, it may seem odd to discuss the prospects for cyber peace. From ransomware impacting communities around the world, to state-sponsored attacks on electrical infrastructure, to disinformation campaigns spreading virally on social media, we seem to have relatively little bandwidth left over for asking the big questions, including: what is the best we can hope for in terms of “peace” on the Internet, and how might we get there? Yet the stakes couldn’t be higher, for Ukraine, but also the international community. McKinsey, for example, has argued that by 2022 “$9 trillion to $21 trillion of economic value creation, worldwide, [will] depend on the robustness of the cybersecurity environment.”

Thus, although cyberspace today appears to be anything but peaceful, there has been progress in the global drive for peace and security in cyberspace. For example, more than seventy-seven nations and over 600 companies have signed the Paris Call for Trust and Security in Cyberspace. This process is not unlike the multistakeholder journey that culminated in the 2015 Paris Climate Accord. And progress has not stalled. In March 2021, for example, some 150 countries agreed, for the first time, on a draft set of cyber norms to guide state behavior in cyberspace. These norms were agreed to by Russia, China, the United States, and the European Union, and include protection for civilian critical infrastructure.

Digital conflict and military action are increasingly intertwined, and civilian targets – private businesses and everyday Internet users alike – are vulnerable, as we unfortunately see in Ukraine today. As the Global Commission on Stability in Cyberspace makes clear, “conflict between states will take new forms, and cyberactivities are likely to play a leading role in this newly volatile environment, thereby increasing the risk of undermining the peaceful use of cyberspace to facilitate the economic growth and the expansion of individual freedoms.” So, is the peaceful use of cyberspace possible? “Cyber peace” is difficult to define; as difficult, if not more so than its offline comparator. The term “cyber peace” seems to have originated during a program “at the Vatican’s Pontifical Academy of Sciences in December 2008,” though it was being used before that date, indeed as early as 2005 as is explored by Professor Renée Marlin-Bennett in our new edited volume published by Cambridge University Press in 2022, Cyber Peace: Charting a Path Toward a Sustainable, Stable, and Secure Cyberspace.

“Cyber peace,” sometimes also called “digital peace,” is a term that is increasingly used, but still little understood. It is clearly more than the “absence of violence” online, which was the starting point for how Professor Johan Galtung described the new field of peace studies he helped to found in 1969. Similarly, Galtung argued that agreeing on universal definitions for “peace” or “violence” was unrealistic; instead, the goal should be landing on a “subjectivistic” definition agreed to by the majority. In so doing, he recognized that as society and technology changes, so too should our conceptions of peace and violence (an observation that’s arguably equally applicable both online and offline). That is why he defined violence as “the cause of the difference between the potential and the actual, between what could have been and what is.”

Extrapolating from this logic, as technology advances, be it biometrics or blockchain, the opportunity cost of not acting to ameliorate suffering grows, as do the capabilities of attackers to cause harm. This highlights the fact that cyber peace is not a finish line, but rather is an ongoing process of due diligence and risk management. In this way, we define a positive cyber peace as a polycentric system that: (1) respects human rights and freedoms, (2) spreads Internet access along with cybersecurity best practices, (3) strengthens governance mechanisms by fostering multi-stakeholder collaboration, and (4) promotes stability and relatedly sustainable development. These four pillars of cyber peace may be constructed by clarifying the rules of the road for companies and countries alike to help reduce the threats of cyber war, terrorism, crime, and espionage to levels comparable to other business and national security risks. This could encourage the movement along a cyber peace spectrum toward a more resilient, stable, and sustainable Internet ecosystem with systems in place to “deter hostile or malicious activity” and in so doing promote both human and national security online and offline.

As we see in Ukraine a key issue remains regarding enforcement of norms such as through graduated sanctions, which are an important aspect of the Ostrom Design Principles for institutional analysis. The international community could focus some of the penalties being imposed on Russia in punishment for its indiscriminate cyber operations to help strengthen the eleven cyber norms and incentivize responsible state behavior in cyberspace. There could also be an effort to create a series of Cyber Peace Goals, reminiscent of the Sustainable Development Goals, and even a Cyber Peace Index to help further operationalize core standards including defining “reasonable” cybersecurity. In short, Russia’s invasion of Ukraine sets back the movement for cyber peace, but also provides the international community with an opportunity to enforce these new rules of the road and in so doing help build a path toward a durable, lasting cyber peace.