► The contemporary international climate being plagued by confrontation, even violent territorial expeditions, it may be more useful to investigate how peaceful behaviour in cyberspace can be promoted through practical cybersecurity and resilience building action.

Introduction

The contemporary international climate being plagued by confrontation, even violent territorial expeditions, it may be more useful to investigate how peaceful behaviour in cyberspace can be promoted through practical cybersecurity and resilience building action. Rather than ‘waiting for Godot’ to arrive, I shall offer a pluralist view to the implementation of the cyber norms and the promotion of peaceful cyberspace. [Footnote:  For a more detailed guidance on the implementation of the United Nations Group of Governmental Experts 2015 report cyber norms, see Mika Kerttunen & Eneken Tikk (2020) Putting cyber norms in practice. Implementing the UN GGE 2015 recommendation through national strategies and policies. https://cybilportal.org/publications/putting-cyber-norms-in-practice/ ]

By doing that I argue against a nihilist stand considering the cyber norms impossible to be implanted as well as the singular view which thinks that there is one and only one right way to implement norms and peaceful state behavior. The nihilist view easily seeks to avoid any ‘voluntary and non-binding’ responsibility states may have and the singular view as easily begins to blame others for not being the righteous ones.

This intervention suggests a pragmatic framework of five bottom-up approaches, namely:

• A domestic approach, that builds on the synthesis of shared values, issues and goals that countries have incorporated in their national cybersecurity strategies and policies.[1]
• A systemic approach that looks at how to address the main enablers of cyber conflict in a climate of political contestation.[2]
• A community approach that focuses on the aspirations for peace and stability as expressed in international policy and diplomatic processes.[3]
• An institutional approach that considers the best avenues for each topic and makes use of the many regional and international platforms, venues and processes.[4]
• A dynamics approach that pays attention to national practices of escalation and de-escalation in mitigating cyber incidents.[5]

1. Shared values, issues and goals

 An analysis of national cybersecurity strategies, doctrines and master plan clearly demonstrates how governments across the world mainly stress on a handful of areas when promoting national cybersecurity. The areas are confidentiality, integrity and availability of data, critical infrastructure protection, combatting cybercrime, creating public awareness, and work force development. Relatively many also take stand on international issues, for example, global normative work or regional capacity building. As importantly, governments seem to be unanimous that cybersecurity needs to be promoted by domestic and international cooperation and coordination, maintaining the rule of law, applying a multi-stakeholder approach, emphasizing transparency of action, and honoring privacy of human beings. 

National cybersecurity strategies seldom are posturing or aggressive by nature. Further work to implement these strategies and to encourage the perhaps 80 countries which have not issued such explicit policy papers, would organically strengthen national and international cybersecurity and practically yet often without greater publicity promote peaceful cyberspace.

2. Enablers of incidents

Similarly, daily work on reducing the factors which directly or indirectly allow, or encourage cyber incidents to take place or having the impacts they have, represents an indirect and most useful approach. We categorized enablers to three clusters, governance and policies, technology and infrastructure, and social and human matters. Of particular enablers one can mention for example stockpiling of exploits, endorsements of cyber operations, and weak targets without repelling or strengthening policies, procedure and resources: use of general service levels in value targets, vulnerable web servers and lax patching culture: and dependence of ICT and digital systems and services, the success of ransomware, and support to hacktivist and cyber-criminal groups.

Particularly important it is to notice that the reduction of enablers widens the preventive and protective cybersecurity measures the easily antagonist threat and vulnerabilities discourse in a peaceful manner.

3. Aspirations of peace and stability

States have clear views on issues which either stabilize or destabilize international relations. As expressed in national submission to the United Nations General Assembly, the former include among others universal compliance with rules and international agreements, access to science and knowledge, and shared benefits: the destabilizing issues include for example lack of accountability, ethical vacuums, and unilateral action and benefits. These accounts should be taken as guidelines of domestic action in and toward cyberspace.

4. Levels and locations of action

Throughout the years several venues and approaches to cybersecurity have emerged. As they have different agendas and possess different means and tools, it is advisable to investigate where and how states can promote peaceful cyberspace and subsequent responsible state behavior. For example, as global progress seems currently unlikely, regional endeavors may prove both feasible and effective. Despite the fact that cyberspace is universal, neighboring countries often have similar, contingent challenges and a history of both conflict and cooperation to build on. They can often also be more capable to understand and communicate with each other than those countries from distant continents.  

5. Escalatory and de-escalatory practices

It also pays to analyze and detect how governments and agencies act and react in cyber crises and incidents. Greater awareness of e.g. organizational or educational patterns of behavior may reveal biases which rather than promote effective incident management, let alone peaceful cyberspace, escalate the situation by e.g. greater international attention and involvement or undisciplined analysis and communication.

Conclusion

This analysis was based on the assumption of the utility of a pragmatic and bottom-up approach. As a top-down, global and universally shared approach was considered utopian, at least currently, it is not surprising that the findings encourage states - governments, agencies and civil servants and experts - to do some homework and work at home. And even if and when the international climate of enmity and antagonism will be replaced by friendship and cooperation, it won’t be wrong to argue and act upon the belief that cybersecurity, and peaceful cyberspace, too, starts at home.

[1] This argument is based on the analysis of national cybersecurity strategies which was published by the EU Cyber Direct program. (Mika Kerttunen & Eneken Tikk (2018). Strategically Normative. Norms and principles in national cybersecurity strategies, https://eucyberdirect.eu/research/strategically-normative-norms-and-principles-in-national-cybersecurity-strategies. 

[2] This argument builds on the Cyber Policy Institute’s analysis of main state-on-state effect/creating cyber operations. See, also  the European Repository of Cyber Incidents (https://eurepoc,.eu) for a database and detailed analysis of over two thousand cyber incidents since year 2000.

[3] This argument builds on the Cyber Policy Institute’s analysis of UN General Assembly statements concerning international stability (unpublished).

[4] This argument builds on the Cyber Policy Institute’s analysis of the processes and agendas of cybersecurity and related topics (unpublished).

[5] This argument builds on the Cyber Policy Institute’s analysis of domestic practices in cyber incident mitigation (unpublished).