OSCE Expands Its List of Confidence-Building Measures For Cyberspace: Common Ground on Critical Infrastructure Protection

On 10 March 2016, the Permanent Council of the Organisation for Security and Cooperation in Europe adopted Decision No. 1202 on OSCE confidence-building measures (CBMs) to reduce the risks of conflict stemming from the use of information and communication technologies (ICTs). The leading idea behind the CBMs, following similar practices from the Cold War era, is to have a system of direct communication between states to defuse conflicts and prevent unintentional escalation. The Decision adds five new CBMs and a new section of ‘Considerations’ to Decision No. 1106 from 3 December 2013 which established the initial set of 11 CBMs (see the earlier Incyder article).

We have classified the CBMs, now 16 in total, into several categories for clarity. References to new CBMs are marked in bold.

1. Sharing, providing and exchanging information

Most of the CBMs talk about participating states voluntarily sharing information, and they cover the following topics:

  • ICT threats and vulnerabilities (CBMs 1 and 16);
  • ICT security (CBM 2);
  • critical infrastructure, including ICT-enabled critical infrastructure (CBMs 3 and 15)
  • measures taken to ensure an open, interoperable, secure, and reliable Internet (CBM 4);
  • best practices (CBMs 5, 14 and 15);
  • awareness-raising (CBM 5);
  • countering terrorist or criminal use of ICTs (CBM 6);
  • national organisation, strategies, policies and programmes, including public-private cooperation in ICT security (CBM 7); and
  • national ICT security terminology (CBM 9).

2.  Facilitating communication

The CBMs also propose mechanisms for sharing information on the above-mentioned topics. The following voluntary mechanisms are to facilitate communication between participating states:

  • consultations at the appropriate level in order to reduce the risks of misperception and of possible conflict triggered by the use of ICTs (CBM 3);
  • using the OSCE as a platform for dialogue (CBM 5), including the OSCE Communications Network (CBM 10) and the meetings of designated experts, at least three times each year, within the framework of the Security Committee and its Informal Working Group (CBM 11);
  • nominating a point of contact to facilitate communication and dialogue on ICT security (CBM 8);
  • providing and updating contact data of official national structures that manage ICT-related incidents (which presumably means CERT/CSIRT teams) (CBM 8);
  • measures to ensure rapid communication at policy levels of authority (CBM 8);
  • information-sharing in different formats, including workshops, seminars, and roundtables, also involving representatives of the private sector, academia, centres of excellence, and civil society (CBM 12);
  • a slightly cryptic reference to activities for officials and experts to support the facilitation of authorised and protected communication channels to prevent and reduce the risks of misperception, escalation, and conflict; and to clarify technical, legal and diplomatic mechanisms to address ICT-related requests’ (CBM 13); and
  • ‘shared responses to common challenges including crisis management procedures in case of widespread or transnational disruption of ICT-enabled critical infrastructure’ (CBM 15).

3. Steps to consider

Other CBMs include steps to be considered by states at a national or international level:

  • enacting effective national legislation to enable bilateral cooperation in counterterrorism and criminal law matters (CBM 6);
  • producing a consensus ICT security glossary (CBM 9);
  • promoting public-private partnerships (CBM 14);
  • ‘[a]dopting voluntary national arrangements to classify ICT incidents in terms of the scale and seriousness of the incident’ (CBM 15);
  • ‘[i]mproving the security of national and transnational ICT-enabled critical infrastructure […]’ (CBM 15); and
  • ‘[r]aising awareness about the importance of protecting industrial control systems […]’ (CBM 15).

4. Way forward

The document also suggests ways of further development of CBMs and cooperative measures:

  • the Security Committee and its Informal Working Group will ‘explore appropriate development of CBMs’ (CBM 11); such efforts should take into account the UN GGE 2013 and 2015 reports, including their recommendations on voluntary CBMs (Considerations);
  • participating states will investigate the spectrum of cooperative measures to prevent an ICT-triggered conflict (CBM 12).

Comments by states and observers

According to the journal of the meeting of the Permanent Council, Russia welcomed the adoption of additional CBMs, emphasising the importance of ‘the key role of [s]tates in facilitating practical co-operation in protecting critical information infrastructures and the need to share information using authorised and protected communication channels’. Russia believes that ‘regardless of the political situation, consensus can be reached on questions of fundamental importance connected with ensuring international information security’.

A representative of the EU called the CBMs ‘a big step forward for multilateral co-operation in the dynamic cyber domain’ and ‘a significant achievement’. The representative felt it necessary to emphasise the importance of ‘preserving a peaceful, open, free and secure cyberspace’, echoing the EU Cybersecurity Strategy , and referred to key EU values in this process.

The US delegate also emphasised the importance of critical infrastructure protection, reiterating the importance of ICT and the Internet, as ‘powerful tools for advancing human rights’. The delegate also stated the firm commitment of the US to the multistakeholder approach to Internet governance.

Why it’s important

In comparison with the original CBMs, which focused on establishing communication channels and in which the topics for information exchange were described rather generically, the updated set of CBMs puts more focus on best practices, public-private partnerships and critical infrastructure, and mentions vulnerabilities and industrial control systems. This and the published statements of the delegations show that all nations involved in the preparation of these CBMs take the vulnerability of critical infrastructure more and more seriously, and are stressing the importance of defusing potential conflicts arising from cyberattacks against it. It also supports the thesis raised by the NATO CCD COE in its recent book, Cyber War in Perspective: Russian Aggression against Ukraine, that states probably realise that the benefits which accrue from launching cyberattacks against critical infrastructure of their adversaries are far outweighed by the risk of having their own critical infrastructure attacked, and thus they prefer to use their offensive cyber capabilities for espionage operations (p. 142).

Of course, the CBMs have their limits. Their language is that of a non-legally binding document, as can be seen in the frequency of the word ‘voluntary’ in the text. Also, just as in the 2015 UN GGE report, and probably for the same reason, the word ‘cyberspace’ and its derivatives are absent from the whole document, being replaced with terms such as ‘use of ICT’, which are seen as more respectful of states’ sovereignty. This is but one reflection of the fundamentally differing views of the countries on how to cope with the free flow of information across borders facilitated by cyberspace, which manifests itself in issues such as the multistakeholderism-multilateralism debate.

Nevertheless, the updated set of CBMs proves that advancing international cooperation regarding cyberspace is considered worthwhile by all OSCE states, and it also signals the universal willingness to engage in a pragmatic solution to the problem of states’ increasing vulnerability to cyberattacks, despite the proxy conflicts these states may conduct, both in cyberspace and outside it.

Tomáš Minárik

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.