Every year, the Munich Security Conference brings together heads of state, leaders of multinational organizations and private companies to discuss the world’s most pressing security issues. And every year, cybersecurity gets short shrift because policymakers are more comfortable with a traditional approach to geopolitics, rather than introducing cyber into the debate.
Yet, this demonstrates that our security approach remains overwhelmingly focused on traditional physical capabilities, even though we are increasingly facing a digital battlefield with the potential for devastating impacts in the real world.
As state-sponsored actors “cross the Rubicon” to use cyberattacks and information manipulation to undermine other governments, this year’s Munich Security Conference missed a golden opportunity to place cyber on the main stage of geopolitics.
This year’s conference relegated cyber issues to the sidelines, a surprising decision given the two major cyber-related incidents that received public attribution in recent months. The first announcement was the public attribution to the Russian military of the devastating so-called NotPetya cyberattack of July 2017 by the U.S., the U.K. and half a dozen other governments.
According to this very high-profile public attribution, the attack was designed to target Ukraine, yet caused indiscriminate damage upon the Danish shipping company Maersk and countless other organizations across the world, causing losses in the billions of dollars. The second major public announcement, which came on the eve of the conference, was the indictment of 13 Russian citizens by U.S. special counsel Robert Mueller for their efforts to influence the 2016 U.S. elections.
These announcements received some attention, but did not take center stage during the Munich Security Conference. Cyber was most notably mentioned by speakers such as British Prime Minister Theresa May and U.S. national security adviser H.R. McMaster. May reiterated the high-profile public attribution of the Russian state-sponsored actors’ responsibility for the NotPetya attack, and McMaster accused Moscow of engaging in a campaign of “disinformation, subversion and espionage,” which he said Washington would continue to expose. He also declared that the evidence of a Russian effort to interfere in the elections “is now incontrovertible.”
NATO Secretary General Jens Stoltenberg did not mention cyber at all in his speech, although NATO is pushing an ambitious cyber agenda, and the secretary general strongly supports it. Similarly, U.N. Secretary-General António Guterres highlighted the importance of efforts aimed at determining the applicability of international law to cyberspace. Yet, his remarks did not project any concrete way forward in this field.
Fortunately, side events at the Munich Security Conference fixed the deficit of cyber discussion on the main stage. Members of the Global Commission on the Stability of Cyberspace, an international group focused on proposing voluntary norms of responsible behavior in cyberspace, spread their presence and contributions across the side events. Experts, business representatives, civil society, media and policymakers also discussed how cyber can be used to undermine international stability and democratic institutions. These events featured important industry players such as Microsoft, Facebook and Siemens, yet Twitter was conspicuously absent.
While the side sessions proved the cyber debate is still alive and kicking, the general omission by the conference is the norm in today’s high-level international security and strategy debates. With the exception of the cyber-dedicated international events, cybersecurity rarely gets the high profile it deserves.
This shortcoming is reflected in the efforts of multilateral organizations. The U.N. has made only narrow progress on addressing cyber issues; and though the European Union has evolved from a digital single market to a more comprehensive approach on cyber, more work remains to be done. NATO has advanced most significantly in addressing cyber, but there is still work ahead to articulate a true collective defense in cyberspace.
Why is cyber still late in the game of mainstream strategic discussion, despite its evident impact on our personal lives and national security? My decades-long experience working with policymakers and international organizations points to a long-standing tendency to regard cyber as a technical problem constricted to the virtual world. From this perspective, the main policy deliberations have focused on investing resources to solve short-term security deficiencies. But as the recent election attacks have shown, the use of cyber tools can have a long-standing strategic impact. As the internet of things continues to connect our devices to the cyber realm, real world risks have amplified dramatically.
The cyber front line is all around us. We must improve our digital IQ by embracing active coordination and discussion of this massively important topic at future security conferences.