Towards a Peaceful Development of Cyberspace - Challenges and Technical Measures for the De-escalation of State-led Cyberconflicts and Arms Control of Cyberweapons

Cyberspace, already a few decades old, has become a matter of course for most of us, part of our everyday life. At the same time, this space and the global infrastructure behind it are essential for our civilizations, the economy and administration, and thus an essential expression and lifeline of a globalized world. However, these developments also create vulnerabilities and thus, cyberspace is increasingly developing into an intelligence and military operational area – for the defense and security of states but also as a component of offensive military planning, visible in the creation of military cyber-departments and the integration of cyberspace into states' security and defense strategies. In order to contain and regulate the conflict and escalation potential of technology used by military forces, over the last decades, a complex tool set of transparency, de-escalation and arms control measures has been developed and proof-tested. Unfortunately, many of these established measures do not work for cyberspace due to its specific technical characteristics. Even more, the concept of what constitutes a weapon – an essential requirement for regulation – starts to blur for this domain. Against this background, this thesis aims to answer how measures for the de-escalation of state-led conflicts in cyberspace and arms control of cyberweapons can be developed. In order to answer this question, the dissertation takes a specifically technical perspective on these problems and the underlying political challenges of state behavior and international humanitarian law in cyberspace to identify starting points for technical measures of transparency, arms control and verification. Based on this approach of adopting already existing technical measures from other fields of computer science, the thesis will provide proof of concepts approaches for some mentioned challenges like a classification system for cyberweapons that is based on technical measurable features, an approach for the mutual reduction of vulnerability stockpiles and an approach to plausibly assure the non-involvement in a cyberconflict as a measure for de-escalation. All these initial approaches and the questions of how and by which measures arms control and conflict reduction can work for cyberspace are still quite new and subject to not too many debates. Indeed, the approach of deliberately self-restricting the capabilities of technology in order to serve a bigger goal, like the reduction of its destructive usage, is yet not very common for the engineering thinking of computer science. Therefore, this dissertation also aims to provide some impulses regarding the responsibility and creative options of computer science with a view to the peaceful development and use of cyberspace

Delphi Study of International Cybersecurity Norms

Unregulated state cyberattacks are an urgent threat to international peace and security because of the costs they impose and the devastating effects they can create. However, international norms governing state cyberattacks (international cybersecurity norms) have not yet emerged. The lack of meaningful consequences for state cyberattacks, and the high rewards derived from them, incentivize states to engage in this new form of hostile conduct (cyberconflict). The problem addressed in this modified Delphi study was the persistent struggle between authoritarian and democratic states over competing international cybersecurity norms that cause cyberconflict to remain unregulated. Kingdon’s multiple streams framework was used as a theoretical lens to examine the norm emergence process. Data were collected from a panel of experts in international cybersecurity norms. Three rounds of online questionnaires were administered, with participant feedback between rounds, to build a consensus opinion. Six participants completed all rounds. Terms and phrases of participants were used to create codes, and related codes were grouped to reveal patterns and develop themes. The panel did not establish strong consensus (Kendal’s W ≥ .75) regarding the ranking of the issues but defined the points of disagreement and reached a weak consensus on the top three issues: problem nature, attribution, and threat perception. Findings may inform positive social change through future efforts to create the conditions necessary for international cybersecurity norms to emerge, thereby contributing to international peace and security

U.S. strategic cyber deterrence options

The U.S. government appears incapable of creating an adequate strategy to alter the behavior of the wide variety of malicious actors seeking to inflict harm or damage through cyberspace. This thesis provides a systematic analysis of contemporary deterrence strategies and offers the U.S. the strategic option of active cyber defense designed for continuous cybered conflict. It examines the methods and motivations of the wide array of malicious actors operating in the cyber domain. The thesis explores how the theories of strategy and deterrence underpin the creation of strategic deterrence options and what role deterrence plays with respect to strategies, as a subset, a backup, an element of one or another strategic choice. It looks at what the government and industry are doing to convince malicious actors that their attacks will fail and that risk of consequences exists. The thesis finds that contemporary deterrence strategies of retaliation, denial and entanglement lack the conditions of capability, credibility, and communications that are necessary to change the behavior of malicious actors in cyberspace. This research offers a midrange theory of active cyber defense as a way to compensate for these failings through internal systemic resilience and tailored disruption capacities that both frustrate and punish the wide range of malicious actors regardless of origin or intentions. The thesis shows how active cyber defense is technically capable and legally viable as an alternative strategy in the U.S. to strengthen the deterrence of cyber attacks