The OSCE’s Pioneering Work on Cyber Security

On 10 March, the 57 OSCE participating States unanimously adopted a landmark decision on Confidence-Building Measures (CBMs) for the cyber space. The decision No. 1202 entitled ‘OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies’ was adopted by the OSCE Permanent Council and expands a previous set of cyber security CBMs, adopted by the OSCE in 2013.

The OSCE has a long tradition in the area of CBMs, which are generally designed to help improve relations between states, achieve a peaceful settlement of a conflict or to prevent the outbreak of military confrontation. For example, the OSCE has developed military confidence- and security-building measures as laid down in the 2011 Vienna Document, encouraging states to exchange military information. The OSCE has also worked on non-military CBMs, such as people-to-people contacts between Moldova and Transdniestria.

Hence, it was only natural that the OSCE expands CBMs to the cyber space.

The latest decision on CBMs for the cyber space is indeed of particular significance as the OSCE is to date the only regional security organization that has succeeded in adopting such a comprehensive set of CBMs for the cyber domain. Critics may consider the decision weak, given the voluntary nature of the commitments. Yet, states have surpassed expectations when it comes to the implementation of the 2013 decision. Peer review and pressure are driving forces in this context. Furthermore, the politically-binding nature of the decision helped states build consensus in the first place. It would have been impossible to arrive at a similar decision on a legally-binding basis.

What makes the decision even more ground-breaking is the fact that it was adopted unanimously by 57 states that actually hold very diverse opinions and policies regarding the cyber space. For example, western states and Russia not only disagree on how to handle and prevent a cyber attack, but they also hold fundamentally opposing views on issues such as the level of state control over the internet or the content of the internet.

Such opposing views make negotiations on enhancing cyber security very difficult. Yet, what all states agree on is the fact that cyber security is a matter of national security and that there are currently not enough tools available to help states deescalate the situation when a cyber attack occurs.

For example, in the past, cyber attacks have been launched against governmental servers and banking systems. Such attacks can cause great damage as governmental or personal data may be compromised and get into the wrong hands. Cyber attacks have also occurred during interstate conflict and alongside conventional warfare, as was the case in Ukraine. According to the United Nations Institute for Disarmament Research (UNIDR), some 47 UN member states have active cyber programmes that give some role to the armed forces.

One could also imagine a hypothetical, even more dangerous attack, such as on the emergency system of a nuclear power plant, which could potentially cause very severe damage and harm.

One of the main reasons why cyber attacks are so dangerous is because of the difficulty in determining who is behind an attack. A cyber attack can come from a friendly state, a foe but also a non-state actor. This leads to a lot of speculation but also misunderstanding and misperception, potentially leading to a dangerous escalation of an already existing conflict.

What adds to the complexity is the fact that states at the same time carry out cyber attacks (for example for the purpose of spying) and become victims of such attacks.

It is therefore vital that – once a cyber attack occurs – states possess tools that will help them deescalate the situation and that will bring more certainty into an environment that is dominated by uncertainty. This is where the OSCE CBMs come in.

Following guidance from a United Nations Group of Governmental Experts, the OSCE, as a regional arrangement under Chapter VIII of the UN Charter, has created a three-step approach to enhance cyber security. The measures are becoming progressively more ambitious as trust is being built over time.

As a first step, in 2013, an initial package of voluntary transparency CBMs was adopted, aiming at helping states take better informed decisions once a cyber attack occurs. This in itself was already a game changer, as the information provided through the transparency measures helps states read the behavior of the other states better, making it thus easier to determine the origin of a cyber attack. In addition, in the event of a cyber attack, there are now communication lines which enable states to seek clarification from one another. The relevance of these transparency measures is further underlined by the fact that according to experts there have been events in the past three years where states have actually made use of these measures.

As a second step, on 10 March the OSCE states agreed on a set of voluntary cooperative CBMs, which aim at creating working levels between states (that have not or have rarely been cooperating in the past). In this latest decision, OSCE states have agreed not only to share information for the sake of transparency but to start engaging in joint activities in order to enhance cyber security. For example, OSCE states have agreed to hold workshops, seminars and roundtables to discuss how to prevent conflict stemming from the use of ICTs and to conduct activities for officials and experts. OSCE states have also agreed to enhance collaboration between authorities that are responsible for the security of critical infrastructure (for example hospitals), as cyber attacks on such infrastructure are particularly harmful to civilians.

As a third step, OSCE states continue to work on an additional set of voluntary stability CBMs that they are hoping to adopt in the future. Such stability measures could include a political commitment to refrain from launching a cyber attack against civilian and critical infrastructure or to commit to using a common check list before reacting to a cyber attack.

All CBMs are implemented through an informal working group which brings together experts from capitals, meeting at least three times a year. In addition, the OSCE POLIS Online Information System is being used as an online tool to communicate and exchange information on CBMs.

In conclusion, the OSCE’s work on cyber security can indeed be seen as pioneering and should deserve much more attention in the future.