Capacity to contain and respond to biological threats varies considerably across the world. Yet such preparedness is vital for prevention, impact-reduction and resilience in the face of biological events, whether they be natural or deliberate outbreaks.

Chatham House is conducting a series of meetings to strengthen urban preparedness for, and resilience against, biological threats in African countries. This meeting will examine the preparedness and prevention mechanisms in Accra, reviewing the comprehensiveness of city-level preparedness.  

This meeting will focus on the formation and implementation of city-level action plans in the context of preparedness for managing biological threats. It will also explore how local authorities are contributing to this effort with their knowledge and expertise.

Attendance at this event is by invitation only.

This workshop is the second in a series in the 'Implementing the Commonwealth Cybersecurity Agenda' project. The workshop aims to provide a multi-stakeholder pan-Commonwealth platform to discuss how to take the implementation of the 'Commonwealth Cyber Declaration' forward with a focus on the second pillar of the declaration – building the foundations of an effective national cybersecurity response with eight action points. 

As such, the workshop gathers different project implementers under the UK Foreign and Commonwealth Office’s Cyber Programme, in addition to other key relevant stakeholders from the global level, to explore ongoing initiatives which aim to deliver one or more of pillar two’s action points.

The workshop addresses issues from a global perspective and a Commonwealth perspective and will include presentations from selected partners from different Commonwealth countries.

With increased use of military drones in recent years there have also been many calls for greater transparency and accountability with regards to drone operations.

This would allow for greater public understanding, particularly as the complex nature of military operations today intensifies difficulties in sustaining perceptions of the legitimate use of force.

For example, in Europe, leading states rely on the US for drone platforms and for the infrastructure - such as military communication networks - that enable those operations, while the US also relies on airbases in European states to operate its drone programme.

In addition, with reports that the US is loosening the rules on the use of drones, it is important to understand how European approaches to transparency and accountability may be affected by these developments.

This workshop focuses on how European states can facilitate transparency to ensure accountability for drone use, as well as what the limits might be, considering both the complexity of military operations today and the need for achieving operational goals.

With the US easing restrictions on export controls, the discussion also considers the role of regulation in ensuring accountability and prospects for developing common standards.

Attendance at this event is by invitation only.

With continuing instability at Europe's borders, along with uncertainty on future US support for NATO, many European countries are increasing their allocations to defence budgets and to collective European strategic defence. In addition, with non-state armed groups creating instability and threatening civilian lives and livelihoods in proximity to the EU’s borders, various operations have been carried out in conflict theatres in the Middle East, North Africa and the Sahel under the auspices of NATO, the UN, the EU or by single EU member states.

Although European military personnel have been deployed in many regions, with countries becoming more reluctant to deploy ‘boots on the ground’, warfare has been increasingly conducted through remote means. This has led to criticism on the limited transparency and accountability mechanisms at work in these operations, while some have questioned the military effectiveness of such tactics or the capacity and willingness of states to ensure that targets are struck accurately and without impact on civilian populations.

Against this background, the EU has started allocating resources to military research and development projects with a focus on unmanned systems and related technologies. Under the auspices of the European Defence Fund such funding is set to increase, while potential bilateral programmes between some states have also been explored. Despite concerns raised by the European Parliament, the development of these policies and technologies has taken place without significant consideration of what the legal, ethical and military-strategic impact of these instruments might be.    

This event will bring together a range of experts, policymakers and civil society organizations to discuss the technology horizon of European defence investments and policy developments around remote warfare. Participants will discuss the implications of the new EU defence fund, legal, ethical, and transparency issues in military research and development and the position of the EU as a global actor. 

This event is being organized in partnership with PAX Netherlands.

THIS EVENT IS NOW FULL AND REGISTRATION HAS CLOSED.

Internet regulation is increasing around the world creating positive obligations on internet providers and exerting negative unintended consequences on the internet infrastructure. In some ways, most of this regulatory activity is justifiable. Governments are concerned about the increased risk that the use of the internet brings to societies. As a response, many governments have been enacting regulations as their main approach to dealing with these concerns. The main challenge is that most of the current regulations are either ill-defined or unworkable.  

On the one hand, several governments have established procedures that seek to analyze the impacts of new regulatory proposals before they were adopted. However, there hasn’t been enough attention aimed at analyzing regulations after they have been adopted and only a few have measures in place to evaluate the impacts of the procedures and practices that govern the regulatory process itself.

On the other hand, much of the regulation creates unintended consequences to the internet itself. It undermines many of its fundamental properties and challenges the integrity and resiliency of its infrastructure.  

This event discusses current practices in internet-related regulation and the related challenges. Panellists will discuss how governments can enforce regulations that achieve their intended purpose while at the same time protecting the internet’s core infrastructure and its properties, including its openness, interoperability and global reach.

• The risks and challenges of the increasing number and arming of drones. 
• The risks for countries of not doing so in terms of geostrategic interests and the future battlefield.
• Opportunities for developing common standards on drone transfers and deployment across EU member states.
• Sharing and cooperation on drone use.
• What legal and policy implications might arise for European states as a result.

With Brexit on the horizon, participants will also consider what impact this may have on future drone developments in Europe.

Attendance at this event is by invitation only.

• Civil nuclear facilities and organizations hold sensitive information on security clearances, national security, health and safety, nuclear regulatory issues and international inspection obligations. The sensitivity and variety of such data mean that products tailored for insuring the civil nuclear industry have evolved independently and are likely to continue to do so.
• ‘Air-gaps’ – measures designed to isolate computer systems from the internet – need to be continually maintained for industrial systems. Yet years of evidence indicate that proper maintenance of such protections is often lacking (mainly because very real economic drivers exist that push users towards keeping infrastructure connected). Indeed, even when air-gaps are maintained, security breaches can still occur.
• Even if a particular organization has staff that are highly trained, ready and capable of handling a technological accident, hacking attack or incidence of insider sabotage, it still has to do business and/or communicate with other organizations that may not have the essentials of cybersecurity in place.
• Regardless of whether the choice is made to buy external insurance or put aside revenues in preparation for costly incidents, the approach to cyber risk calculation should be the same. Prevention is one part of the equation, but an organization will also need to consider the resources and contingency measures available to it should prevention strategies fail. Can it balance the likelihood of a hacker’s success against the maximum cost to the organization, and put aside enough capital and manpower to get it through a crisis?
• All civil nuclear facilities should consider the establishment of computer security incident response (CSIR) teams as a relevant concern, if such arrangements are not already in place. The existence of a CSIR team will be a prerequisite for any facility seeking to obtain civil nuclear cyber insurance.
• Preventing attacks such as those involving phishing and ransomware requires good cyber hygiene practices throughout the workforce. Reducing an organization’s ‘time to recovery’ takes training and dedication. Practising the necessary tasks in crisis simulations greatly reduces the likelihood of friction and the potential for error in a crisis.

In recent years, cybercrime has evolved from a niche technological concern into a prominent global issue with substantial preventative and remedial costs for businesses and governments alike. Despite heavy investment in sophisticated cybersecurity measures and the adoption of several legal, organizational and capacity-building measures, cybercrime remains a major threat which is evolving on a daily basis. Today’s cybercrime is more aggressive, more complex, more organized and – importantly – more unpredictable than ever before.

The challenges posed by cybercrime are experienced acutely by countries undergoing digital transformations: as the level of connectivity rises, so too does the potential for online theft, fraud and abuse. Cybercrime is pervasive but governments can work to limit its impact by creating a resilient overall economy and robust institution, and appropriately equipping law enforcement and the justice system to navigate its novel challenges.

To advance the discourse surrounding these issues, this workshop will assess the current cyber threat landscape and how it is evolving. It will identify the main obstacles encountered by law enforcement, the judiciary and prosecutors in their fight against cybercrime. It will also compare national, regional and global approaches that countries can use to effectively curb cybercrime and tackle its emerging challenges.

The development of governance in a wide range of digital spheres – from cyberspace to internet infrastructure to emerging technologies such as artificial intelligence (AI) – is failing to match rapid advances in technical capabilities or the rise in security threats. This is leaving serious regulatory gaps, which means that instruments and mechanisms essential for protecting privacy and data, tackling cybercrime or establishing common ethical standards for AI, among many other imperatives, remain largely inadequate.

A starting point for effective policy formation is to recognize the essential complexity of the digital landscape, and the consequent importance of creating a ‘common language’ for multiple stakeholders (including under-represented actors such as smaller and/or developing countries, civil society and non-for-profit organizations).

The world’s evolving technological infrastructure is not a monolithic creation. In practice, it encompasses a highly diverse mix of elements – so-called ‘high-tech domains’,[1] hardware, systems, algorithms, protocols and standards – designed by a plethora of private companies, public bodies and non-profit organizations.[2] Varying cultural, economic and political assumptions have shaped where and which technologies have been deployed so far, and how they have been implemented.

Perhaps the most notable trend is the proliferation of techno-national regimes and private-sector policy initiatives, reflecting often-incompatible doctrines in respect of privacy, openness, inclusion and state control. Beyond governments, the interests and ambitions of prominent multinationals (notably the so-called ‘GAFAM’ tech giants in the West, and their ‘BATX’ counterparts in China)[3] are significant factors feeding into this debate.

Cyberspace and AI – two case studies

Two particular case studies highlight the essential challenges that this evolving – and, in some respects, still largely unformed – policy landscape presents. The first relates to cyberspace. Since 1998, Russia has established itself as a strong voice in the cyberspace governance debate – calling for a better understanding, at the UN level, of ICT developments and their impact on international security.

The country’s efforts were a precursor to the establishment in 2004 of a series of UN Groups of Governmental Experts (GGEs), aimed at strengthening the security of global information and telecommunications systems. These groups initially succeeded in developing common rules, norms and principles around some key issues. For example, the 2013 GGE meeting recognized that international law applies to the digital space and that its enforcement is essential for a secure, peaceful and accessible ICT environment.

However, the GGE process stalled in 2017, primarily due to fundamental disagreements between countries on the right to self-defence and on the applicability of international humanitarian law to cyber conflicts. The breakdown in talks reflected, in particular, the divide between two principal techno-ideological blocs: one, led by the US, the EU and like-minded states, advocating a global and open approach to the digital space; the other, led mainly by Russia and China, emphasizing a sovereignty-and-control model.

The divide was arguably entrenched in December 2018, with the passage of two resolutions at the UN General Assembly. A resolution sponsored by Russia created a working group to identify new norms and look into establishing regular institutional dialogue.

At the same time, a US-sponsored resolution established a GGE tasked, in part, with identifying ways to promote compliance with existing cyber norms. Each resolution was in line with its respective promoter’s stance on cyberspace. While some observers considered these resolutions potentially complementary, others saw in them competing campaigns to cement a preferred model as the global norm. Outside the UN, there have also been dozens of multilateral and bilateral accords with similar objectives, led by diverse stakeholders.[4]

The second case study concerns AI. Emerging policy in this sector suffers from an absence of global standards and a proliferation of proposed regulatory models. The potential ability of AI to deliver unprecedented capabilities in so many areas of human activity – from automation and language applications to warfare – means that it has become an area of intense rivalry between governments seeking technical and ideological leadership of this field.

China has by far the most ambitious programme. In 2017, its government released a three-step strategy for achieving global dominance in AI by 2030. Beijing aims to create an AI industry worth about RMB 1 trillion ($150 billion)[5] and is pushing for greater use of AI in areas ranging from military applications to the development of smart cities. Elsewhere, the US administration has issued an executive order on ‘maintaining American leadership on AI’.

On the other side of the Atlantic, at least 15 European countries (including France, Germany and the UK) have set up national AI plans. Although these strategies are essential for the development of policy infrastructure, they are country-specific and offer little in terms of global coordination. Ominously, greater inclusion and cooperation are scarcely mentioned, and remain the least prioritized policy areas.[6]

Competing multilateral frameworks on AI have also emerged. In April 2019, the European Commission published its ethics guidelines for trustworthy AI. Ministers from Nordic countries[7] recently issued their own declaration on collaboration in ‘AI in the Nordic-Baltic region’. And leaders of the G7 have committed to the ‘Charlevoix Common Vision for the Future of Artificial Intelligence’, which includes 12 guiding principles to ensure ‘human-centric AI’.

More recently, OECD member countries adopted a set of joint recommendations on AI. While nations outside the OECD were welcomed into the coalition – with Argentina, Brazil and Colombia adhering to the OECD’s newly established principles – China, India and Russia have yet to join the discussion. Despite their global aspirations, these emerging groups remain largely G7-led or EU-centric, and again highlight the divide between parallel models. 

The importance of ‘swing states’

No clear winner has emerged from among the competing visions for cyberspace and AI governance, nor indeed from the similar contests for doctrinal control in other digital domains. Concerns are rising that a so-called ‘splinternet’ may be inevitable – in which the internet fragments into separate open and closed spheres and cyber governance is similarly divided.

Each ideological camp is trying to build a critical mass of support by recruiting undecided states to its cause. Often referred to as ‘swing states’, the targets of these overtures are still in the process of developing their digital infrastructure and determining which regulatory and ethical frameworks they will apply. Yet the policy choices made by these countries could have a major influence on the direction of international digital governance in the future.

India offers a case in point. For now, the country seems to have chosen a versatile approach, engaging with actors on various sides of the policy debate, depending on the technology governance domain. On the one hand, its draft Personal Data Protection Bill mirrors principles in the EU’s General Data Protection Regulation (GDPR), suggesting a potential preference for the Western approach to data security.

However, in 2018, India was the leading country in terms of internet shutdowns, with over 100 reported incidents.[8] India has also chosen to collaborate outside the principal ideological blocs, as evidenced by an AI partnership it has entered into with the UAE. At the UN level, India has taken positions that support both blocs, although more often favouring the sovereignty-and-control approach.

Principles for rule-making

Sovereign nations have asserted aspirations for technological dominance with little heed to the cross-border implications of their policies. This drift towards a digital infrastructure fragmented by national regulation has potentially far-reaching societal and political consequences – and implies an urgent need for coordinated rule-making at the international level.

The lack of standards and enforcement mechanisms has created instability and increased vulnerabilities in democratic systems. In recent years, liberal democracies have been targeted by malevolent intrusions in their election systems and media sectors, and their critical infrastructure has come under increased threat. If Western nations cannot align around, and enforce, a normative framework that seeks to preserve individual privacy, openness and accountability through regulation, a growing number of governments may be drawn towards repressive forms of governance.

To mitigate those risks, efforts to negotiate a rules-based international order for the digital space should keep several guiding principles in mind. One is the importance of developing joint standards, as well as the need for consistent messaging towards the emerging cohort of engaged ‘swing states’. Another is the need for persistence in ensuring that the political, civic and economic benefits associated with a more open and well-regulated digital sphere are made clear to governments and citizens everywhere.

Countries advocating an open, free and secure model should take the lead in embracing and promoting a common affirmative model – one that draws on human rights principles (such as the rights to freedom of opinion, freedom of expression and privacy) and expands their applications to the digital space.  

Specific rules on cyberspace and technology use need to include pragmatic policy ideas and models of implementation. As this regulatory corpus develops, rules should be adapted to reflect informed consideration of economic and social priorities and attitudes, and to keep pace with what is possible technologically.[9]

Notes

[1] Including but not limited to AI and an associated group of digital technologies, such as the Internet of Things, big data, blockchain, quantum computing, advanced robotics, self-driving cars and other autonomous systems, additive manufacturing (i.e. 3D printing), social networks, the new generation of biotechnology, and genetic engineering.

[2] O’Hara, K. and Hall, W. (2018), Four Internets: The Geopolitics of Digital Governance, Centre for International Governance Innovation, CIGI Paper No. 206, https://www.cigionline.org/publications/four-internets-geopolitics-digital-governance.

[3] GAFAM = Google, Amazon, Facebook, Apple and Microsoft; BATX = Baidu, Alibaba, Tencent and Xiaomi.

[4] Carnegie Endowment for International Peace (undated), ‘Cyber Norms Index’, https://carnegieendowment.org/publications/interactive/cybernorms (accessed 30 May 2019).

[5] Future of Life Institute (undated), ‘AI Policy – China’, https://futureoflife.org/ai-policy-china?cn-reloaded=1.

[6] Dutton, T. (2018), ‘Building an AI World: Report on National and Regional AI Strategies’, 6 December 2018, CIFAR, https://www.cifar.ca/cifarnews/2018/12/06/building-an-ai-world-report-on-national-and-regional-ai-strategies.

[7] Including Denmark, Estonia, Finland, the Faroe Islands, Iceland, Latvia, Lithuania, Norway, Sweden and the Åland Islands.

[8] Shahbaz, A. (2018), Freedom on the Net 2018: The Rise of Digital Authoritarianism, Freedom House, October 2018, https://freedomhouse.org/report/freedom-net/freedom-net-2018/rise-digital-authoritarianism.

[9] Google White Paper (2018), Perspectives on Issues in AI Governance, https://www.blog.google/outreach-initiatives/public-policy/engaging-policy-stakeholders-issues-ai-governance/.

This essay was produced for the 2019 edition of Chatham House Expert Perspectives – our annual survey of risks and opportunities in global affairs – in which our researchers identify areas where the current sets of rules, institutions and mechanisms for peaceful international cooperation are falling short, and present ideas for reform and modernization.

The 1967 Outer Space Treaty (OST) is the mainframe for space law. It recognizes the importance of the use and scientific exploration of outer space for the benefit and in the interests of all countries. It also prohibits national sovereignty in space, including of the Moon and other celestial bodies.

The OST prohibits all weapons of mass destruction in space – in orbit or on other planets and moons – and does not allow the establishment of military infrastructure, manoeuvres or the testing of any type of weapon on planets or moons. As the treaty makes clear, outer space is for peaceful purposes only. Except of course, it is not – nor has it ever been so.

The very first satellite, Sputnik, was a military satellite which kicked off the Cold War space race between the US and the USSR. The militaries of many countries followed suit, and space is now used for military communication, signals intelligence, imaging, targeting, arms control verification and so on.

However, in keeping with international aspirations, space is also being used for all kinds of peaceful purposes such as environmental monitoring, broadcast communications, delivering the internet, weather prediction, navigation, scientific exploration and – very importantly – monitoring the ‘space weather’ (including the activity from the Sun).

There are several other international agreements on space, such as on the rescue of astronauts, the registration of satellites and liability for damage caused by space objects. There is also the Moon Treaty, which governs activities on the Moon and other moons, asteroids and planets.[i]

More recently, states at the UN Committee on the Peaceful Uses of Outer Space (COPUOS) in Vienna have agreed on guidelines to deal with the worrying situation of space debris which is cluttering up orbits and posing a danger to satellites, the space station and astronauts.

The problem the international community now faces is that the use of space is changing dramatically and rapidly. There are more satellites than ever – well over 1,000 – and more owners of satellites – almost every country uses information generated from space. Increasingly, however, those owners are not countries, militaries or international organizations but the commercial sector. Very soon, the owners will even include individuals.

Small ‘mini-satellites’ or ‘cube-sats’ are poised to be deployed in space. These can act independently or in ‘swarms’, and are so small that they piggy-back on the launching of other satellites and so are very cheap to launch. This is changing the cost–benefit equation of satellite ownership and use. Developing countries are increasingly dependent on space for communications, the internet and information on, for example, weather systems, coastal activities and agriculture. 

Another major development is the advent of asteroid mining. Asteroids contain a wide range of metals and minerals – some asteroids are more promising than others, and some are closer to Earth than others. Several companies have been set up and registered around the world to begin the exploitation of asteroids for precious metals (such as platinum) and compounds (such as rare-earth minerals).

Legally, however, this will be a murky venture. The current international treaty regime prohibits the ownership of a celestial body by a country – space is for all. But does international law prohibit the ownership or exploitation of a celestial body by a private company? The law has yet to be tested, but there are space lawyers who think that companies are exempt. Luxembourg and Australia are two countries that have already begun the registration of interest for space-mining companies.

As humanity becomes more dependent on information that is generated in or transmitted through space, the vulnerability to the manipulation of space data is increasing. The demands on the use of communications frequencies (the issue of spectrum availability and rights), managed by the International Telecommunication Union (ITU),[ii] need to be urgently addressed.

There are now constant cyberattacks in space and on the digital information on which our systems rely. For example, position, navigation and timing information such as from GPS or Galileo is not only vital for getting us safely from A to B, but also for fast-moving financial transactions that require accurate timing signals.

Almost all of our electronic systems depend on those timing signals for synchronization and basic functioning. Cyber hacks, digital spoofing and ‘fake’ information are now a real possibility. There is no rules-based order in place that is fit to deal with these types of attacks.

Cyberweapons are only part of the problem. It is assumed that states, if they haven’t already done so, will be positioning ‘defensive’ space weaponry to protect their satellites. The protection may be intended to be against space debris – nets, grabber bars and harpoons, for example, are all being investigated.

All of these ideas, however, could be used as offensive weapons. Once one satellite operator decides to equip its assets with such devices, many others will follow. The weaponization of space is in the horizon.

There are no international rules or agreements to manage these developments. Attempts in Geneva to address the arms race in space have floundered alongside the inability of the Conference on Disarmament to negotiate any instrument since 1996.

Attempts to develop rules of the road and codes of conduct, or even to begin negotiations to prohibit weapons in space, have failed again and again. There are no agreed rules to govern cyber activity. The Tallinn Manuals[iii] that address how international law is applicable to cyberwarfare also address the laws of armed conflict in space, but data spoofing and cyber hacking in space exist in far murkier legal frameworks.

The current system of international space law – which does not even allow for a regular review and consideration of the OST – is struggling to keep up. Space is the inheritance of humankind, yet the current generation of elders – as they have done with so many other parts of our global environment – have let things go and failed to shepherd in the much-needed system of rules to protect space for future generations.

It is not too late, but it will require international cooperation among the major space players: Russia, the US, China, India and Europe – hardly a promising line-up of collaborators in the current political climate.

Filling the governance gaps

Norms of behaviour and rules of the road need to be established for space before it becomes a 21st-century ‘wild west’ of technology and activity. Issues such as cleaning up space debris, the principle of non-interference, and how close satellites can manoeuvre to each other (proximity rules) need to be agreed as a set of international norms for space behaviour.

A cross-regional group of like-minded countries (for example Algeria, Canada, Chile, France, India, Kazakhstan, Malaysia, Nigeria, Sweden, the UAE and the UK) should link up with UN bodies, including the Office for Outer Space Affairs (UNOOSA), COPUOS and ITU, and key private-sector companies to kick-start a new process for a global code of conduct to establish norms and regulate behaviour in space.

The UN could be the host entity for this new approach – or it could be established in the way the Ottawa process for landmines was established, by a group of like-minded states with collective responsibility for, and collective hosting and funding of, the negotiations.

A new approach should also cover cybersecurity in space. The UN processes on space and cyber should intersect more to find ways to create synergies in their endeavours. And the problems ahead as regards spectrum management – particularly given the large number of small satellites and constellations that are to be launched in the near future – need urgent attention in ITU.

Notes

[i] All of these treaties and other documents can be found at UN Office for Outer Space Affairs (2002), United Nations Treaties and Principles on Outer Space, http://www.unoosa.org/pdf/publications/STSPACE11E.pdf.

[ii] ITU (undated), ‘ITU Radiocommunication Sector’, https://www.itu.int/en/ITU-R/Pages/default.aspx.

[iii] The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), ‘Tallinn Manual 2.0’, https://ccdcoe.org/research/tallinn-manual/.

This essay was produced for the 2019 edition of Chatham House Expert Perspectives – our annual survey of risks and opportunities in global affairs – in which our researchers identify areas where the current sets of rules, institutions and mechanisms for peaceful international cooperation are falling short, and present ideas for reform and modernization.

Summary

• All satellites depend on cyber technology including software, hardware and other digital components. Any threat to a satellite’s control system or available bandwidth poses a direct challenge to national critical assets.
• NATO’s missions and operations are conducted in the air, land, cyber and maritime domains. Space-based architecture is fundamental to the provision of data and services in each of these contexts. The critical dependency on space has resulted in new cyber risks that disproportionately affect mission assurance. Investing in mitigation measures and in the resilience of space systems for the military is key to achieving protection in all domains.
• Almost all modern military engagements rely on space-based assets. During the US-led invasion of Iraq in 2003, 68 per cent of US munitions were guided utilizing space-based means (including laser-, infrared- and satellite-guided munitions); up sharply from 10 per cent in 1990–91, during the first Gulf war. In 2001, 60 per cent of the weapons used by the US in Afghanistan were precision-guided munitions, many of which had the capability to use information provided by space-based assets to correct their own positioning to hit a target.
• NATO does not own satellites. It owns and operates a few terrestrial elements, such as satellite communications anchor stations and terminals. It requests access to products and services – such as space weather reports and satellite overflight reports provided via satellite reconnaissance advance notice systems – but does not have direct access to satellites: it is up to individual NATO member states to determine whether they allow access.
• Cyber vulnerabilities undermine confidence in the performance of strategic systems. As a result, rising uncertainty in information and analysis continues to impact the credibility of deterrence and strategic stability. Loss of trust in technology also has implications for determining the source of a malicious attack (attribution), strategic calculus in crisis decision-making and may increase the risk of misperception.

After President Trump decided to halt a missile attack on Iran in response to the downing of a US drone, it was revealed that the US had conducted cyberattacks on Iranian weapons systems to prevent Iran launching missiles against US assets in the region.

This ‘left-of-launch’ strategy – the pre-emptive action to prevent an adversary launch missiles – has been part of the US missile defence strategy for some time now. President George W Bush asked the US military and intelligence community to infiltrate the supply chain of North Korean missiles. It was claimed that the US hacked the North Korean ballistic missile programme, causing a failed ballistic missile test, in 2012.

It was not clear then – or now – whether these ‘left-of-launch’ cyberattacks aimed at North Korea were successful as described or whether they were primarily a bluff. But that is somewhat irrelevant; the belief in the possibility and the understanding of the potential impact of such cyber capabilities undermines North Korean or Iranian confidence in their abilities to launch their missiles. In times of conflict, loss of confidence in weapons systems may lead to escalation.

In other words, the adversary may be left with no option but to take the chance to use these missiles or to lose them in a conflict setting. ‘Left of launch’ is a dangerous game. If it is based on a bluff, it could be called upon and lead to deterrence failure. If it is based on real action, then it could create an asymmetrical power struggle. If the attacker establishes false confidence in the power of a cyber weapon, then it might lead to false signalling and messaging.

This is the new normal. The cat-and-mouse game has to be taken seriously, not least because missile systems are so vulnerable.

There are several ways an offensive cyber operation against missile systems might work. These include exploiting missile designs, altering software or hardware, or creating clandestine pathways to the missile command and control systems.

They can also be attacked in space, targeting space assets and their link to strategic systems.

Most missile systems rely, at least in part, on digital information that comes from or via space-based or space-dependent assets such as: communication satellites; satellites that provide position, navigation and timing (PNT) information (for example GPS or Galileo); weather satellites to help predict flight paths, accurate targeting and launch conditions; and remote imagery satellites to assist with information and intelligence for the planning and targeting.

Missile launches themselves depend on 1) the command and control systems of the missiles, 2) the way in which information is transmitted to the missile launch facilities and 3) the way in which information is transmitted to the missiles themselves in flight. All these aspects rely on space technology.

In addition, the ground stations that transmit and receive data to and from satellites are also vulnerable to cyberattack – either through their known and unknown internet connectivity or through malicious use of flash drives that contain a deliberate cyber infection.

Non-space-based communications systems that use cable and ground-to-air-to-ground masts are likewise under threat from cyberattacks that find their way in via internet connectivity, proximity interference or memory sticks. Human error in introducing connectivity via phones, laptops and external drives, and in clicking on malicious links in sophisticated phishing lures, is common in facilitating inadvertent connectivity and malware infection.

All of these can create a military capacity able to interfere with missile launches. Malware might have been sitting on the missile command and control system for months or even years, remaining inactivated until a chosen time or by a trigger that sets in motion a disruption either to the launch or to the flight path of the missile. The country that launches the missile that either fails to launch or fails to reach the target may never know if this was the result of a design flaw, a common malfunction or a deliberate cyberattack.

States with these capabilities must exercise caution: cyber offence manoeuvres may prevent the launch of missile attacks against US assets in the Middle East or in the Pacific regions, but they may also interfere with US missile launches in the future. Even, as has recently been revealed, US cyber weapons targeting an adversary may blow back and inadvertently infect US systems. Nobody is invulnerable.

Summary

• The application of ‘security by design’ in nuclear new builds could provide operators with the opportunity to establish a robust and resilient security architecture at the beginning of a nuclear power plant’s life cycle. This will enhance the protection of the plant and reduce the need for costly security improvements during its operating life.
• Security by design cannot fully protect a nuclear power plant from rapidly evolving cyberattacks, which expose previously unsuspected or unknown vulnerabilities.
• Careful design of security systems and architecture can – and should – achieve levels of protection that exceed current norms and expectations. However, the sourcing of components from a global supply chain means that the integrity of even the most skilfully designed security regime cannot be guaranteed without exhaustive checks of its components.
• Security by design may well include a requirement for a technical support organization to conduct quality assurance of cyber defences and practices, and this regime should be endorsed by a facility’s executive board and continued at regular intervals after the new build facility has been commissioned.
• Given the years it takes to design, plan and build a new nuclear power plant, it is important to recognize that from the point of ‘design freeze’ onwards, the operator will be building in vulnerabilities, as technology continues to evolve rapidly while construction fails to keep pace with it. Security by design cannot be a panacea, but it is an important factor in the establishment of a robust nuclear security – and cybersecurity – culture.

With the increased use of armed drones in recent years, ethical and legal concerns have been raised in regard to civilian casualties, secrecy and lack of transparency and accountability for drone strikes.

This project brings together experts on the use of armed drones, including current and former military officials, academia, think-tanks and NGOs, to discuss and exchange perspectives based on their different experiences, with the aim of sharing knowledge and increasing understanding on these issues, and to inform and provide input into the European debate. The experts explore the issues and controversies surrounding the use of drones outside formal armed conflict and study the broader policy implications in detail, particularly with regards to what this means for the UK and other European countries.

Building on the findings from the workshops, this project will hold a simulation exercise to stress test critical areas of concern around the use of armed drones that are relevant for the UK and other EU member states.

The discussions and the simulation exercise will provide opportunities for policy input on areas of mutual concern and feed into practical policy recommendations on the use of armed drones.

This project builds on previous work on armed drones by the International Security Department and is funded by the Open Society Foundations.