Weaponized Cyber Technologies
Pose a Double Jeopardy

Most countries, companies, and civil societies, are defenseless against the potential targets of today's cyber warriors, especially computer networks used by military and security forces. They also lack the technical capacities to develop significant cyber defenses and strategies. Today they depend on the world's most powerful nations and cybersecurity firms to obtain limited protection.

Even the national regulatory frameworks of the most advanced nations do not provide guidelines that mitigate the threat. Our analysis of the common weaknesses of national frameworks include the following:

They usually lag behind innovation by the threat actors. By the time indictments are issued according to existing regulatory guidelines, new technologies are adopted and new guidelines are already needed.

They do not require adequate protection of sensitive companies and institutions. Clearly with the high incidence of hacks ranging from benign breaches to detrimental impacts on international security, there is not enough guidance on the responsibilities of institutions to prioritize cybersecurity in their core operations.

Cyber law enforcement in many countries is not well resourced and is thus very limited in scope, not up-to-date with the impending threats, and not interacting with many at-risk entities in its jurisdiction.

Jurisdictions that lack clear frameworks for implementing sanctions compliance in cyberspace are targets for sanctions abusers. They contribute to sanctionable behaviors because they lack the proper stop gaps in place to prevent them. They attract cyber warriors in all kinds of activities, from hosting servers that steal military-grade software from other jurisdictions, to homes for sanctioned actors to run IT front companies to raise money for WMD. Companies that operate in jurisdictions without clear guidance run the risk of their services being co-opted for sanctioned purposes, thus exposing themselves to potential sanctions of the UN or individual countries.

In effect, these countries have not only already lost this arms race - they now face the double jeopardy of being defenseless against:

  1. Powerful nations' cyber offensives and
  2. Cyberattacks by nongovernment belligerents such as terrorist organizations, WMD-proliferators or militias.

The top six cyber defense measures that all countries, companies and the UN can institute:

Because many cyber attacks are conducted across at least one and sometimes many different national borders, they can easily be considered to threaten the international order - an important perquisite for UN counteractions.

But individual states can and should defend themselves with some minimal efforts, such as the adoption of legal and regulatory frameworks that outlaw belligerent cyber actors and actions. At the same time, these laws can provide a welcoming business environment for legitimate and responsible cyber actors and especially cyber-security experts.

Similarly, companies operating in countries with weak cyber governance can define and implement Best Cyber Practices and hold their stakeholders accountable if they ignore such standards.

The national public and private sectors can now push multilateral decision-makers of the UN and its Security Council, the World Bank Group and others, to adopt peace-enhancing cyber standards, sanctions and coercive mechanisms against violators.

# National Governments Private Sector Efforts On Cybersecurity Multilateral Institutions: UN Security Council, World Bank Group
1 Adopt laws to regulate and mandate the lawful policing of all digital and virtual activities, including the sale and export of cyber technologies, assets and knowledge, and cyber-based espionage, sabotage, attacks, theft and digital assets Define and adopt Best Cyber Practices consistent with national and international laws. Define cyber offenses that should be answered with a UN assets freeze, arms embargo, economic measures, or individual travel ban.
2 Identify which digital hardware, software, and related knowledge is of dual-use concern and should therefore be restricted. Conduct cyber audits to ensure corporate digital technology or assets are not used for illegal purposes or abused. Recognize abuses of digital hardware, software, and related knowledge as a dual-use concern that requires countermeasures.
3 Where applicable, restrict access to digital hardware, software, and related knowledge when dual-use concerns apply. Incorporate internal controls to guard against digital hardware, software, and related knowledge being sold or made otherwise available to those who may abuse them. Include digital hardware, software, and related knowledge in arms embargoes and strategic trade controls where dual-use concerns apply.
4 Require a duty of care for the protection of data, intellectual property, or virtual assets, that is generated, stored, collected or used by private sector (including by companies, political organizations, academia, or civil society) and government. Adopt cybersecurity measures, including for the protection of data, intellectual property, or virtual assets, as a security measure that is fully integrated across all business operations, with special guidelines followed for each industry such as government and military networks. Consider the theft of data or intellectual property of sensitive technologies cause for the deployment of targeted sanctions on those responsible and benefiting from the theft.
5 Mandate reporting obligations for individual or private sector victims of cyber crimes. Report cyber crimes in real-time to national authorities. Mandate a reporting obligation for states on violations of cyber-related dual-use provisions in UN embargoes.
6 Impose transparency and accounting obligations for e-commerce and cybercurrency exchanges, particularly where national or international security is concerned. Observe national and international restrictions where e-commerce or cybercurrency exchanges might infringe on national or international prerogatives. Adopt sanctions against those individuals and companies whose e-commerce or cybercurrency exchanges are used to undermine national or international security.

1. Adopt laws to regulate and mandate the lawful policing of all digital and virtual activities, including the sale and export of cyber technologies, assets and knowledge, and cyber-based espionage, sabotage, attacks, theft and digital assets

2.Identify which digital hardware, software, and related knowledge is of dual-use concern and should therefore be restricted.

3. Where applicable, restrict access to digital hardware, software, and related knowledge when dual-use concerns apply.

4. Require a duty of care for the protection of data, intellectual property, or virtual assets, that is generated, stored, collected or used by private sector (including by companies, political organizations, academia, or civil society) and government.

5. Mandate reporting obligations for individual or private sector victims of cyber crimes.

6. Impose transparency and accounting obligations for e-commerce and cybercurrency exchanges, particularly where national or international security is concerned.

1. Define and adopt Best Cyber Practices consistent with national and international laws.

2. Conduct cyber audits to ensure corporate digital technology or assets are not used for illegal purposes or abused.

3. Incorporate internal controls to guard against digital hardware, software, and related knowledge being sold or made otherwise available to those who may abuse them.

4. Adopt cybersecurity measures, including for the protection of data, intellectual property, or virtual assets, as a security measure that is fully integrated across all business operations, with special guidelines followed for each industry such as government and military networks.

5. Report cyber crimes in real-time to national authorities.

6. Observe national and international restrictions where e-commerce or cybercurrency exchanges might infringe on national or international prerogatives.

1. Define cyber offenses that should be answered with a UN assets freeze, arms embargo, economic measures, or individual travel ban.

2. Recognize abuses of digital hardware, software, and related knowledge as a dual-use concern that requires countermeasures.

3. Include digital hardware, software, and related knowledge in arms embargoes and strategic trade controls where dual-use concerns apply.

4. Consider the theft of data or intellectual property of sensitive technologies cause for the deployment of targeted sanctions on those responsible and benefiting from the theft.

5. Mandate a reporting obligation for states on violations of cyber-related dual-use provisions in UN embargoes.

6. Adopt sanctions against those individuals and companies whose e-commerce or cybercurrency exchanges are used to undermine national or international security.

WHERE DO WE GO FROM HERE?

That loss of life and even mass casualties will result because of hackers interrupting critical infrastructure services such as water or electricity supplies is not a question of when, but rather how soon it will happen.

Most states and companies will not be prepared for these emergencies.

CCSI is actively researching and developing frameworks for national and corporate Best Cyber Practices. Beginning with assessing each country's laws and regulations, CCSI will also develop collaboratively with interested states, companies and organizations, blueprints for appropriate laws and regulations.

At the same time, CCSI will be elaborating further on how UN sanctions could be most effectively applied to cyberthreats to international peace and security.