The 12th annual International Conference on Cyber Conflict (CyCon) was cancelled due to the spread of SARS-CoV-2 and public health concerns. In order to celebrate the work of our authors, CCDCOE has decided to carry on with the publication of the CyCon proceedings despite having no physical conference accompanying it. ‘20/20 Vision: The Next Decade’ will ask questions about how cyberspace and cyber conflict will evolve in the 2020’s.
What are the emerging technologies, policies and legal frameworks that will shape the future at societal and personal levels? How can we ensure that the cyberspace, continuously open to technological innovation, will be more transparent, predictable and safe, still reflecting our values?
The papers gathered in this book reflect the three CyCon tracks: technical, strategic and legal. Of the total of 19 papers appearing in the book, five cover technical topics and seven touch upon strategic and legal issues, respectively. There is a variety of topics but a trend of shifting paradigms in their respective disciplines can be discerned. With the development of cyberspace as a domain of operations, new ideas appear but old concepts are also being revamped and their application to cyberspace tested. Papers discussing artificial intelligence, autonomous weapons or cloud services stand shoulder to shoulder with papers dealing with energy distribution networks, security of industrial control systems (ICS) or responses available to states under international law.
Jeff Kosseff (Chapter 1) thus explores retorsion as a possible response to malign activities in cyberspace, as does Przemyslaw Roguski (Chapter 2) with the hot topic of collective countermeasures. The latter author’s second paper, co-authored with Neal Kushwaha and Bruce Watson (Chapter 3), compares various national approaches towards storage of governmental data in cloud and identifies possible risks in entrusting this job to commercial service providers incorporated in foreign jurisdictions. Further in the legal track, Livinus Nweke and Stephen Wolthusen (Chapter 4) examine the regulatory frameworks related to the protection of personal data and their impact on sharing of threat information among critical infrastructure operators. Two articles touch upon the obligations of states in regard to development and use of cyber weapons. Aleksi Kajander, Agnes Kasper and Evhen Tsybulenko (Chapter 5) contend that the weapons legal review under Article 36 of Additional Protocol I to the Geneva Conventions is limited in its reach, and examine instead the positive obligation to ensure respect for the conventions under Common Article 1, with a particular focus on autonomous weapons systems. In their turn, Ivana Kudláčková, Jakub Harašta and David Wallace (Chapter 6), while also acknowledging the limitations of Article 36, see policy benefits in extending legal review to software used in operations under the threshold of use of force. Last but not least, Tina Park and Michael Switzer (Chapter 7) offer a new perspective of the responsibility-to-protect norm and explore its applicability in cyberspace.
In the strategic track, the focus has been on military cyber operations and cyber conflict in general. There are two geographically focused papers; the one by Bilyana Lilly and Joe Cheravitch (Chapter 8) offers a comprehensive overview of the evolution of Russia’s posture in information warfare, while the other, authored by Frederick Douzet, Louis Pétiniaud, Loqman Salamatian, Kevin Limonier, Kavé Salamatian and Thibaut Alchus (Chapter 9), discusses fragmentation of the Internet on a case study of border gateway protocol manipulations during the political crisis in Ukraine. Matthias Schulze (Chapter 10) takes a closer look at the use of cyber capabilities in conflict situations, examining it at the operational, tactical and strategic levels. Martin Libicki (Chapter 11) explores the implications of spill-over of a conflict in cyberspace into physical domains. Christopher Whyte (Chapter 12) adds artificial intelligence to the concoction and studies how the new technologies augment offensive cyber operations and what it can mean for states’ deterrence policies. In a similar vein, Keir Giles and Kim Hartmann (Chapter 13) examine the impact of machine-learning on execution of malign influence campaigns. Closing the strategic track, Jason Healey, JD Work and Neil Jenkins (Chapter 14), through selected case studies, analyse how defenders have sought to disrupt adversary operations in cyberspace, offer an analytical framework to categorize such campaigns and measure their impact, while providing a unique dataset spanning over the last thirty years.
The topic of the five technical papers span from industrial control systems through artificial intelligence to post quantum cryptography. Michael Dodson, Mikael Vangaard and Alastair Beresford (Chapter 15) present a study of high-interaction ICS honeypots and argue that networks of Internet-connected honeypots can effectively be used to identify targeted ICS attacks in order to better defend systems that are known for their heterogeneity rendering a uniform approach difficult. Gilberto Azevedo, Maxli Campos and Paulo Cesar Pellanda (Chapter 16) take the example of electric power systems and examine, from the cybersecurity perspective, their traditional structure, the foreseeable changes due to a convergence of environmental factors and advent of new technologies and discuss how to mitigate the associated risks. Roman Graf, Artūrs Lavrenovs and Kimmo Heinäaro (Chapter 17) propose, in their paper, utilizing neural networks for automated classification of individual devices connected to the Internet and examine how to use HTTP features to train such networks. Kim Hartmann and Christoph Steup (Chapter 18) report on attack patterns directed against artificial intelligence and machine learning methods which are likely to grow in occurrence given the society’s increasing dependence on new technologies, and contemplate related policy considerations. The book concludes with a specifically focused paper on isogeny based post quantum cryptography authored by Lubjana Beshaj and Andrew Hall (Chapter 19) of the US Army Cyber Institute at West Point, our partner institution and organiser of CyCon US conference.
All articles published in the book have been subjected to a double-blind peer review by at least two members of CyCon Academic Review Committee.