by Stéphane Duguin, CEO of the CyberPeace Institute

Highlighting some of the issues, challenges and opportunities in cyberspace that keep me awake at night, whether because they inspire or worry me!

The cyberattacks campaign against Ukraine should preoccupy us all. It is not surprising that it comes at a time of increasing geopolitical tensions and is a stark reminder that escalation in the physical realm is generally always matched by cyberattacks, espionage operations,  and disinformation. For Ukraine there has not been cyberpeace for many years. Recent history has shown that cyberattacks have harmed Ukraine’s civilian population and critical infrastructure, without any accountability of the ones inflicting harm. Escalation without accountability is a very real danger to civilian lives. This is of utmost concern, see our statement in this regard. Civilians and infrastructure ensuring the delivery of essential services must be spared from attack.  

I was really disheartened to learn of the cyberattack affecting the International Committee of the Red Cross (ICRC) in January. This is an organization that embodies humanity through its work to bring lifesaving assistance and protection to the most vulnerable throughout the world – those living in situations of war and violence. Targeting this organization because of, and through the data that it holds, in this case on people who are seeking the fate of their missing relatives and family reunion, is abhorrent and should be widely condemned. This case, like many others, should shock us all to the core. It highlights the vulnerability of the whole humanitarian sector to cyberattacks. The fact that many such organizations hold highly sensitive data on individuals make them a target. The potential to misuse and abuse sensitive information, if accessed, opens vulnerable individuals to potential re-victimization. We are supporting the humanitarian sector to get more resilient against attacks, and we are committed to hold the ones attacking them to account. If you would like to support this endeavour, contact us. 

Both stories highlight the main roadblock to cyberpeace: impunity. This builds upon the lack of political willingness to hold perpetrators accountable. If you look at recent arrests and attribution efforts for different types of cyberattacks through this lens, there are some important questions raised. REvil has seen multiple crackdowns against its affiliates and operators, with the most recent arrests in Russia. The NSO Group has been attributed in court filings and forensic analysis investigations as the provider of the technology used to target elected officials, journalists and activists. Russia and Iran have seen some attacks politically attributed to them. How useful are these efforts for the many victims of these attacks ? How easy it is to seek redress and justice ? Identifying malicious actors and attributing attacks is not enough. Bringing attackers to justice, domestic or international, and constantly holding actors accountable is the end goal. We are still far from the mark. 

This should be at the heart of the ongoing negotiations at the United Nations. Whatever their focus, cybersecurity or the fight against cybercrime, it is more critical than ever that any international instrument enforces accountability and empowers victims to seek redress and justice. Victims of attacks do not really care if discussions are happening in the UN first or third committee. They do care that international instruments are designed with their interests in mind, to ensure effective remedy and an adequate set of human rights safeguards for vulnerable communities. I will ensure a continued focus of the CyberPeace Institute on this. Should you want to work with us on these topics, contact me. 

Last thought coming from a recent report by Gartner. The report states that the percentage of nation states passing legislation to regulate ransomware payments, fines, and negotiations will rise to 30 percent by the end of 2025, compared to less than 1 percent in 2021. It highlights that there may be a more aggressive crackdown on ransom payments and that a greater consideration will need to be given to the ethical, legal and moral implications of paying ransoms. I touched on this matter in a recent article. This is one of the many indicators that cybercrime is not only on constant rise, but also that the legal, normative and technical ecosystem in which it evolves is in constant flux. The recent work of the Oxford Process on International Law Protections in Cyberspace, clarifying the protections as they relate to ransomware, is a good step forward. My advice: don’t take your eyes off of the big picture, this is more than just a cybersecurity issue.

I had hoped for less sober reading in this edition of From the CEOs Desk, however, the year is looking very challenging for cyberpeace.

I would love to hear your thoughts on any of the points I raise, and/or what subjects you think should be keeping me awake. You can get in touch with me via [email protected]

Stéphane Duguin