Modern societies are very dependent on ICTs, from the food we eat, to the transportation that we use, to the services we consume on the internet. Most of these technologies were designed for civilian purposes by private companies. Governments don’t find out about them until the products are in the marketplace. That means governance of those technologies, norms surrounding their use, are being developed at the domestic level but at the international level, they’re mostly trailing events. So that you get very few norms on the way that states use cyber technologies for national security.
A number of implications flow from this, the first of which is attribution uncertainty. What that means is that when an action takes place in cyberspace, authorship is in doubt or is ambiguous.
A second implication is offence dominance. What that means in cyber security is that offence or attack is easier than defence or protection. Defenders have to defend have to defend a hundred percent of the attack surface, attackers only have to be successful against one percent of that attack surface to achieve their ends.
Thirdly, we need to consider the implications of pervasive vulnerability in critical infrastructure due to cyber technologies. The reason why this is significant is because around 25 years ago, most Western governments at least, started to adopt commercial technologies into defence systems and weapons systems. That meant that the vulnerability of commercial components migrated from the private sector into the public sector and into defence applications.
Finally, we need to consider the antiquated legal regime that governs the use of force in international relations and whether it can successfully accommodate cyberspace and cyberspace operations. Most cyber activities are not uses of force, so most of the international legal regime doesn’t apply.
In terms of what must be done or what should be done to restabilize the international environment, it’s probably necessary for states to try and define what’s permissible behaviour. That means talking about or defining red lines, which, if crossed, will lead to retaliation or costs. Clarity on that will make the risks of activity clear and the consequences of violating nascent rules or norms clear as well.