A Multistakeholder Model of Cyber Peace

The Russian NotPetya cyberattack of 2017 not only wiped 10 percent of all computers in Ukraine—where it was targeted—but also indiscriminately cascaded around the world, causing approximately $10 billion in damage. Another Russian attack, just one hour before their troops rolled across the Ukrainian border in 2022, disrupted the Viasat satellite communication network, taking offline “more than 5,800 wind turbines belonging to the German energy company Enercon” and internet service in France, the Czech Republic, and the United Kingdom. 

These cases illustrate that disruptive cyber campaigns are spilling out of conflict zones to affect everyone, even those far from the fighting. Would-be cyber peacekeepers have no effective way to protect civilians in these situations, unlike in traditional conflict. To deal with the nature of cyber conflict, the world needs a new, multistakeholder model for cyber peace.

In traditional, physical wars, only multilateral institutions like the United Nations have the legitimacy to organize peacemaking and peacekeeping missions, and only states have the military capability to conduct these operations. Military forces contributed by states have the needed guns (and bulldozers) to limit the impact to civilians, keep the war from affecting neighbors, or separate combatants.

Cyber conflict inverts this model: Without external support, states and multilateral institutions lack reasonable means to directly mitigate cyber conflict. Military cyber forces cannot meaningfully separate belligerents, and the geography of cyberspace lacks easily definable or defensible sovereign borders to patrol or defend. When combatants unleash cyber campaigns against civilians, or against one another, they can impact those far from the battlefield.

Any model for cyber peace must rely on major technology companies, which have both the relevant ability and the means to either stop the spread of cyber conflict or create meaningful barriers between adversaries. Ideally, this capability would be structured into multilateral institutions.

While critics will note such companies seemingly lack the legitimacy and the business capacity for such a role, they have been doing something similar for over 15 years. The war in Ukraine has affirmed an important insight for present-day cyber peacemakers: In cyberspace, the private sector has the agility, capacity, and expertise to directly mitigate conflict, while states and international organizations have the requisite legitimacy to align cyber operations with the larger international mission and goals. Cyber peace requires the two working together. 

Partnerships in Peace and Security

UN partnership with external actors is not without precedent. Outside of cyberspace, the United Nations has a long history of collaboration with governments, nongovernmental organizations (NGOs), and regional groups to carry out peace and security operations.

These partnerships have proved effective in protecting civilians, providing humanitarian relief, and facilitating community dialogue and disarmament. In the past 20 years, for instance, multilateral regional groups like the African Union and the Economic Community of West African States have taken on a much more active role in peace and security operations, often in partnership with the United Nations. 

Meanwhile, the United Nations brings its own comparative strengths, such as financial and material resources, international legitimacy, and over half a century of experience and reform. Since its founding, the UN has served as a key driver of multidimensional peace and security activities, which have evolved to include conflict prevention, peacemaking, peace enforcement, peacekeeping, and peacebuilding operations, often deployed in combination. 

What the current UN peacekeeping model demonstrates is that threats to international peace and security are too complex for any single actor. The spread of conflict into cyberspace poses even more complex challenges that demand folding in new—and old—external actors. Even with the support of member states, the UN currently lacks the resources and expertise to mitigate large-scale cyber conflict. The International Committee of the Red Cross has argued that “states, tech companies, humanitarian organizations, civil society, and other stakeholders should join forces to use digital technology to enhance the protection of civilians.”

Cyber Peace and the Private Sector

The geography of traditional conflict is segmented by states exercising sovereign rights within recognized boundaries, as established by treaties. Cyberspace lacks meaningful internal boundaries. And while some states have erected digital borders, these are usually legal, not military, barriers.

But a select set of powerful technology companies do have the ability to create segmentation between belligerents. Large cybersecurity companies (think Palo Alto Networks or CrowdStrike), network service providers (AT&T, Verizon, and NTT), and major information technology vendors and platforms (like Microsoft, Google, and Cisco) routinely reduce the impacts of major, even catastrophic, cyber incidents, including during geopolitical crises and war, as explored below.

These companies, and related nonprofits and industry groups, have the agility, subject matter expertise, and ability to directly change cyberspace to decisively resolve incidents and defend those online—usually while governments are still arguing about what should be done and which agency has the right authority.

For such companies, collaborative activities to limit cyber conflict are a normal, though usually limited, part of their business model. For example, the Cyber Threat Alliance shares that intelligence between dozens of global security and technology companies. That information used to be hoarded within individual companies to give them an edge; now it is shared to protect all of us.

Militaries, by comparison, have a rather limited or indirect role in cyber defense. They can hopefully defend their own systems and spy on, hunt for, and shoot back at adversaries. But there is little they can do beyond that. Few major cybersecurity incidents have been solved by government actions unless it was the government itself that was targeted. 

Support in Crises and War

Much of the cyber support provided by technology companies has been confined historically to the ordinary operations needed to protect their customers. For example, every year, defenders detect sophisticated, nation-state threat actors using dozens of “zero-day” vulnerabilities (which are used by attackers but unknown to defenders, so there are no patches for them yet). Once discovered, these vulnerabilities are usually fixed promptly. So far, so routine.

But in March 2023, one of these zero-day vulnerabilities was being used by Russia’s military intelligence service, the GRU, as part of its military invasion targeting “critical infrastructure in Ukraine [for] disruptive and destructive attacks on the country.” As it would have for any other zero-day, Microsoft quickly patched that vulnerability, directly thwarting a Russian wartime campaign against Ukraine and the other European states the GRU targeted. 

In traditional warfare, such direct participation by the private sector to suppress an offensive campaign against a belligerent might be an extraordinary act; in cyber conflict, it is business as usual. Microsoft and more than 150 other technology companies have signed the Cybersecurity Tech Accords committing to “protect all of our users and customers everywhere … irrespective of their technical acumen, culture or location, or the motives of the attacker, whether criminal or geopolitical.”

But these companies’ efforts sometimes go beyond such impartiality and directly help one belligerent over another. Microsoft, for example, committed $107 million in the early days of the war to “literally move the government and much of the country of Ukraine from [in-country] servers to the cloud,” so they are now backed up in data centers across Europe. Google quickly announced a multidimensional strategy for Ukraine’s defense.

The Cyber Defense Assistance Coalition, an alliance of tech and cybersecurity companies, has focused this support in an extremely direct way: devoting “thousands of hours and cutting-edge tools to help Ukraine cyber defenders secure networks, hunt for and expel malicious cyber intruders, improve attack surface monitoring, and provide cyber threat intelligence to protect critical infrastructure.”

As other geopolitical issues evolve—for example, if China decides to attack or isolate Taiwan—the role of such companies will become increasingly central. 

New Models for Cyber Peace

Cyber peace needs new models. Multilateral organizations like the United Nations lack the required capabilities to successfully manage cyber conflict: hundreds or thousands of properly trained cyber defenders; technical capabilities to directly detect, attribute, and thwart adversaries; access to the core internet infrastructure or endpoint devices to create defensible frontiers; and the ability to impede or remove misinformation. 

Would-be cyber peacemakers have two realistic options: status quo plus or a multistakeholder hybrid model.

Status Quo Plus

A simple extension of existing models might prove successful in dealing with conflict prevention and crisis management—operations short of war. It would not require any major new organizations, just recognition and limited support from existing processes.

States and multilateral institutions, in this status quo plus model, would bring legitimacy and their traditional assistance for mediation and crisis management. But they would also recognize and support the routine work of the major technology and cybersecurity companies, such as by updating software to patch vulnerabilities. These companies are helping to protect their customers, but those same actions contain the conflict and reduce the harm to non-combatants. Those actions should be recognized as consistent with peacebuilding and encouraged (regardless of, for example, any political or economic views of technology companies themselves).

This status quo plus model will be more successful than multilateral organizations directly trying to provide assistance. Without any of the needed capabilities, it seems unlikely that “[c]yberpeacekeepers could be ‘deployed’ by the United Nations … surfing the Internet at well-equipped computers instead of patrolling in armored vehicles.” The existing models, NATO’s Cyber Rapid Reaction Team and the European Union’s Cyber Rapid Response Team, have notably fallen short of their stated missions. Facing “political hurdles” and weighed down by “significant bureaucratic baggage,” neither has ever been deployed to help members facing a cyber crisis. 

While individual states at risk might call on their friends to help, such as asking U.S. Cyber Command or Britain’s Strategic Command to hunt forward and look for cyber threats, it would be politically impossible for multilateral organizations to rely exclusively on the support of western powers. 

The status quo plus model might be enough for low-end conflicts but certainly not for higher intensity peace operations.

Multistakeholder, Hybrid Model

A more muscular model is likely needed for cyber aspects of peacekeeping operations beyond mere crises. New organizations and processes (or very substantial expansion of existing ones) would be needed to respond to offensive campaigns by belligerents in an international armed conflict or perhaps even a conflict in which rivals are relying solely on cyber capabilities to inflict death and disruption on each other. 

A new, hybrid model is necessary because even if the UN could build suitable cyber peacekeeping teams (perhaps expanding existing programs, like the Digital Blue Helmets), any formal peacekeeping requires the agreement of all the permanent members of the UN Security Council. Russia (and maybe China or the United States) would veto any operation involving them or their allies. 

Rather, a multistakeholder model could combine the capabilities of the private sector and the legitimacy of states and multilateral institutions. A hybrid model of traditional peace enforcers (to handle the military and diplomatic tasks) and technology companies (to disrupt cyber or disinformation operations) might be necessary. A 2021 UN Department of Peace Operations paper has started down this path, suggesting that, to tackle data manipulation in conflict, multilateral institutions could acquire the needed talent and technology from cyber military units of member states or from companies. 

In the short term, the Cyber Defense Assistance Coalition or the Cyber Peace Institute in Geneva might help coordinate. In the longer term, multilateral institutions could consider a new office to help coordinate operational cyber peacekeeping and ensure it is in line with broader international goals and support.

Under the threat of Security Council vetoes, such operations may never be UN sanctioned but could be supported by regional groupings, like the Association of Southeast Asian Nations, or a particularly influential mediating state, such as the United Arab Emirates.

Impartiality, an important component of peacekeeping operations, may be a difficult issue in this hybrid model. The private-sector component would need to be, and be seen as, impartial, which might conflict with the business interests of the companies involved. Few if any of the major technology companies wished to be impartial after the full-scale Russian invasion of Ukraine. Fewer would want to be impartial with regard to North Korea or Iran. 

Additionally, most of the needed technology companies that possess the requisite capabilities are in Western nations, especially the United States (Russia’s Kaspersky Lab is the prominent exception). Many belligerents may not view American tech companies as fair and dispassionate referees. 

That said, not all UN missions are impartial. UN-sanctioned missions might involve member states employing offensive cyber capabilities to disrupt a state using cyber means to incite (or somehow digitally cause, though that seems implausible) genocide, war crimes, ethnic cleansing, or crimes against humanity, if it could not be stopped in more peaceful ways. 

It is an all-too-plausible scenario that some online version of Radio Rwanda could use digital messages to incite and steer a future genocide—indeed, Facebook messages have already helped drive violence against the Rohingya in Myanmar. A response need not go as far as a new “digital responsibility to protect,” but there would be important roles for all stakeholders. 

***

As the international community grapples with a rise in violent conflicts worldwide, institutions like the United Nations are rethinking and reforming strategies to maintain peace and security. These efforts will be incomplete without developing multistakeholder frameworks for managing and containing cyber conflict.