Weaponized Cyber Technologies
Is poising a
Double Jeopardy

Most countries, companies and civil societies are defenseless against and potential targets for today's cyber warriors, especially their computer networks used by their military and security forces. These countries also lack the technical capacities to develop significant cyber defenses and strategies. Today they depend on the world's most powerful nations and cybersecurity firms to obtain some but limited protection.

Even the national regulatory frameworks from the most advanced nations are not providing guidelines that are mitigating the threat. Our analysis of the common weaknesses of national frameworks include

They are usually behind the innovation of the threat actors. By the time indictments are issued according to existing regulatory guidelines, new technologies are adopted and new guidelines are already needed.

They are not doing enough to require adequate protection of sensitive companies and institutions. Clearly with the amount of hacks ranging from benign breaches to detrimental impacts on international security, there is not enough guidance on the responsibilities of institutions to prioritize cybersecurity in their core operations.

Cyber Law Enforcement in many countries is not well resourced and thus very limited in scope, not up to date with the impending threats, and not in relationship with many at-risk entities in their jurisdiction.

Jurisdictions who lack clear frameworks for implementing sanctions compliance in cyberspace are targets for sanctions abusers. They contribute to sanctionable behaviors because they don't have the proper stop gaps in place to prevent them. They attract cyber warriors for all kinds of activities, from hosting servers that steal military grade softwares from other jurisdictions, to homes for sanctioned actors to run IT front companies to raise money for WMDs. Companies that are operating in jurisdictions without clear guidance run the risk of their services being co-opted for sanctioned purposes, and thus exposing themselves to potential sanctions from the UN or other countries.

In effect, these countries have not only already lost this arms race - they are now facing the double jeopardy from being defenseless against

  1. powerful nations' cyber offensives and
  2. Cyberattacks by nongovernment belligerents: terrorist organizations, WMD-proliferators or militias.

Top-Six Cyber Defense Measures all countries, companies and the UN can institute

Because many cyber attacks are conducted across at least one, sometimes many different national borders, they can be easily considered to threaten international order - an important perquisite for nations to require UN counteractions.

But individual states can and should defend themselves with some minimal efforts, such as the adoption of legal and regulatory frameworks that outlaw belligerent cyberactors and actions. At the same time, these laws can provide a welcoming business environment for legitimate and responsible cyber actors and especially cyber-security experts.

Similarly, companies operating in countries with weak cyber governance can define and implement Best Cyber Practices and hold their stakeholders accountable if they ignore such standards.

The national public and private sector can now push multilateral decision makers of the UN and its Security Council, the World Bank Group and others to adopt peace-enhancing cyber standards, sanctions and coercive mechanisms against violators.

# National Governments Private Sector Efforts Cybersecurity Multilateral Institutions UN Security Council World Bank Group
1 Adopt laws to regulate and to mandate the lawful policing of all digital and virtual activities, including the sale and export of cyber technologies, assets and knowledge, but also cyber-based espionage, sabotage, attacks, theft and digital assets Define and adopt Best Cyber Practices consistent with national and international laws. Define cyber offenses that should be answered with a UN assets freeze, arms embargos, and other economic measures, and individual travel ban).
2 Identify which digital hardware, software, and related knowledge is of dual use concern and should therefore be restricted. Conduct cyber audits to ensure corporate digital technology or assets are not used for illegal purposes or are abused. Recognize abuses of digital hardware, software, and related knowledge as a dual use concern that requires countermeasures.
3 Where applicable, restrict access to digital hardware, software, and related knowledge when dual use concerns apply. Incorporate internal controls that digital hardware, software, and related knowledge is not sold or made otherwise available to those that may abuse them. Include digital hardware, software, and related knowledge into arms embargoes and strategic trade controls where dual use concerns apply.
4 Require a duty of care for the protection of data, intellectual property, or virtual assets, that is generated, stored, collected or used by private sector (including by companies, political organizations, academia, or civil society) and government. Adopt cybersecurity measures, including for the protection of data, intellectual property, or virtual assets, as a security measure that is fully integrated across all business operations, with specical guidelines followed for each industry such as for government and military networks. Consider the theft of data or intellectual property of sensitive technologies cause for the imposition of targeted sanctions on those responsible and benefitting from the theft.
5 Mandate reporting obligations for individual or private sector victims of cyber crimes. Report cyber crimes in real-time to national authorities. Mandate a reporting obligation for states about violations of cyber-related dual use provisions in UN embargoes.
6 Impose transparency and accounting obligations for e-commerce and cybercurrency exchanges, particularly where national or international security is concerned. Observe national and international restrictions where e-commerce or cybercurrency exchanges might infringe on national or international prerogatives. Adopt sanctions against those individuals and companies whose e-commerce or cybercurrency exchanges are used to undermine national or international security.

1. Adopt laws to regulate and to mandate the lawful policing of all digital and virtual activities, including the sale and export of cyber technologies, assets and knowledge, but also cyber-based espionage, sabotage, attacks, theft and digital assets

2.Identify which digital hardware, software, and related knowledge is of dual use concern and should therefore be restricted.

3. Where applicable, restrict access to digital hardware, software, and related knowledge when dual use concerns apply.

4. Require a duty of care for the protection of data, intellectual property, or virtual assets, that is generated, stored, collected or used by private sector (including by companies, political organizations, academia, or civil society) and government.

5. Mandate reporting obligations for individual or private sector victims of cyber crimes.

6. Impose transparency and accounting obligations for e-commerce and cybercurrency exchanges, particularly where national or international security is concerned.

1. Define and adopt Best Cyber Practices consistent with national and international laws

2. Conduct cyber audits to ensure corporate digital technology or assets are not used for illegal purposes or are abused.

3. Incorporate internal controls that digital hardware, software, and related knowledge is not sold or made otherwise available to those that may abuse them.

4. Adopt cybersecurity measures, including for the protection of data, intellectual property, or virtual assets, as a security measure that is fully integrated across all business operations, with specical guidelines followed for each industry such as for government and military networks.

5. Report cyber crimes in real-time to national authorities.

6. Observe national and international restrictions where e-commerce or cybercurrency exchanges might infringe on national or international prerogatives.

1. Define cyber offenses that should be answered with a UN assets freeze, arms embargos, and other economic measures, and individual travel ban).

2. Recognize abuses of digital hardware, software, and related knowledge as a dual use concern that requires countermeasures.

3. Include digital hardware, software, and related knowledge into arms embargoes and strategic trade controls where dual use concerns apply.

4. Consider the theft of data or intellectual property of sensitive technologies cause for the imposition of targeted sanctions on those responsible and benefitting from the theft.

5. Mandate a reporting obligation for states about violations of cyber-related dual use provisions in UN embargoes.

6. Adopt sanctions against those individuals and companies whose e-commerce or cybercurrency exchanges are used to undermine national or international security.

Where do we go from here?

Whether loss of life, perhaps mass casualties will result because of hackers interrupting critical infrastructure services such as water or electricity supplies is not a question when but rather how soon it will happen.

Most States and companies will not be prepared for these emergencies.

CCSI is actively researching and developing frameworks for national and corporate Best Cyber Practices. Starting out with assessing each country's laws and regulations, CCSI will also develop collaboratively with interested States, companies and organizations blue[prints for appropriate laws and regulations.

At the same time, CCSI will be elaborating further on how UN sanctions could be most effectively applied to cyberthreats to international peace and security.