Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Three weeks ago, the members of the Organization for Security and Cooperation in Europe agreed to a second series of cyber-related confidence building measures (CBMs). The OSCE includes rivals like Russia, the United States, Ukraine, Georgia, Turkey, and Greece, so reducing the risk of escalatory cyber activity between them is positive. However, a critical look at the new CBMs reveals that only one of them is actually going to work towards that goal.
The OSCE has a history of developing CBMs, most notably by monitoring ceasefires and by maintaining a communications network to allow participating states to exchange information in the interest of military transparency. Earlier this decade, the organization--at the request of the United States--got involved in cyber issues. In late 2013, OSCE participating states agreed on a first set of CBMs for cyberspace. This makes sense. Most states believe they are vulnerable in cyberspace, have limited insight into their adversaries’ intentions or capabilities, and attributing incidents can be difficult. This quasi-paranoia makes it more likely for a country to overreact if it identifies an adversary in its networks. By agreeing to a set of cyber CBMs, like exchanging white papers, identifying points of contact within government to facilitate communication, and meeting regularly, participating states will have a better understanding of their potential adversaries’ doctrines and intentions.
This first round of CBMs were unexpectedly successful. OSCE states dutifully exchanged strategy and doctrine documents with the OSCE secretariat, which acts as a neutral repository for the information and makes it available for any participating state to consult. They also exchanged information on points of contact and contributed to a proliferation of bilateral cyber dialogues. Though not directly as a result of the OSCE CBMs, the United States holds cyber talks with the United Kingdom, Russia, Germany and the European Union and smaller countries have begun inserting Internet issues in their regular bilateral dialogues. The 2012-13 United Nations Group of Governmental Experts promoted the OSCE’s work and encouraged UN member states to participate in similar work elsewhere.
The benefits of the second round of CMBs are less clear. In essence, OSCE states agreed to talk to each other to "reduce the risk of conflict stemming from the use of [cyber-based tools]," establish communication mechanisms to reduce the risk of misperception and clarify cyber-related requests for information, collaborate on improving the security of critical infrastructure, and encourage OSCE states to responsibly disclose security vulnerabilities.
Only one of these could provide a real and tangible security benefit: the communication mechanism. The OSCE already operates a dedicated, reliable and secure communication infrastructure that allows participating states to share "military and other information" amongst their foreign or defense ministries. In the event of a cyber-related crisis, the OSCE’s communications network could prove handy to de-escalate tensions between two states, providing that the network itself wasn’t the target. Although the hotline approach is an old one (see the Cuban missile crisis), the United States is reviving it to manage its bilateral relationship with Russia and China. Given that most OSCE states aren’t major powers, using a multilateral communications network is probably a more viable alternative for them than setting up a spaghetti bowl of bilateral hotlines.
The other CBMs--while nice to have--probably won’t accomplish much, though I’d love to be proven wrong. Collaborating to improve the security of critical infrastructure and sharing security vulnerabilities are worthwhile initiatives. However, it’s hard to "share national views of categories of ICT-enabled infrastructure States consider critical" when the United States considers movie theaters critical and when existing channels are more appropriate to disclose vulnerabilities, like through the global network of computer security incident response teams.
Irrespective of the deficiencies of the new CBMs, the communications network alone makes this OSCE effort worth applauding. Let’s hope OSCE states actually use it.