NUPI's Research Centre on New Technology

Internet governance and the UN in a multiplex world order era?

Over the last two decades Internet Governance (IG) has emerged as an increasingly complex and fraught field of policymaking involving both states and non-state actors on a multitude of arenas. Facing this complex field, the role of the United Nations (UN) in IG has been both varying and contested. While the UN has been discussing issues related to IG since the 1990s, disagreements on both substantive issues and where discussions ought to take place have intermittently resurfaced and remained relevant, but recent processes and challenges to the status quo asks questions about the direction going forward. In the UN, recently established processes aims to revamp the approach to IG, while the negotiations over a cybercrime convention, and the 2022 ITU plenipotentiary have made the long running contests between western and authoritarian states over this topic more visible. Broader trends and rising tensions globally raises questions not only about the future for the global nature of IG and the role of the UN in this, but also whether decoupling and alliances with like-minded states might become more dominant than global multilateral and multi-stakeholder channels, i.e a trend pointing towards a multiplex field of internet governance.1

Stuxnet - et paradigmeskifte?

More than a decade after Stuxnet was made publicly known, it remains the most vigorous example of a cyber attack causing both serious kinetic damage and as means to assert political pressure. Based on an analysis of the operation and its aftermath, this chapter argues that Stuxnet represents a paradigm shift. In view of advancements made to develop offensive and defensive cyber capabilities, particularly in the US, Israel and Iran, the shift refers to how states understand and use cyber capabilities during times of conflict. We illustrate how cyber operations can in certain contexts function as a supplement between diplomacy and the use of military means, but also in some cases as a substitute for conventional military force. The article is in Norwegian.

Hva er det vi egentlig løser ved å slette TikTok?

Hvilke apper må Nasjonal sikkerhetsmyndighet vurdere i neste runde?

The subsea cable cut at Svalbard January 2022: What happened, what were the consequences, and how were they managed?

Svalbard is, like most other societies, largely dependent on an internet connection. The fiber connection on Svalbard consists of two separate subsea cables that connect Longyearbyen to the mainland. In some areas the cables were buried about two meters below the seabed, especially in areas where fishing is done, to “protect against destruction of the fishing fleet’s bottom trawling or anchoring of ships. (New version uploaded 18 January 2023)

Loss of Tonga’s telecommunication – what happened, how was it managed and what were the consequences?

In January 2022 the subsea volcano Hunga Tonga-Hunga Ha’apai in Tonga had a major eruption which also cut the country’s communication lines nationally, between Tonga’s inhabited islands and the outside world. The damage led to a complete halt in international communication (a “digital darkness”) which meant that, in the period immediately after the outbreak, not much was known about the extent of the damage in Tonga. Due to very limited access to contact with both the authorities and the population of Tonga, it was only during overflights carried out by the Australian and New Zealand air forces that one could begin to map the extent of the damage and the need for assistance.

Interpreting cyber-energy-security events: experts, social imaginaries, and policy discourses around the 2016 Ukraine blackout

We analyse the expert debate around a cyber attack in 2016 that caused an electric power blackout in Ukraine. Two expert reports were crucial for interpreting this event, and there are several competing narratives of cybersecurity where the event plays different roles. We show that the most securitized narratives became more prominent and point to the power wielded by private companies and experts in this field.

Private infrastructure in weaponized interdependence

The ability of states to exploit private resources at an international level is an increasingly salient political issue. In explaining the mechanisms of this shift, the framework of Weaponized Interdependence has quickly risen to prominence, arguing that those states that are centrally placed in global networks can exploit their centrality given the appropriate domestic institutions. Building on this framework, I suggest that the relationship between states and the private corporations holding the resources states seek to exploit is more dynamic and contested than assumed. Drawing on developments in the industry for constructing and operating submarine cables, I find that a paradigm shift in the market has significantly limited the authority of states vis-à-vis key market players. The contribution of this finding is to expand Weaponized Interdependence as a framework, paying closer attention to the relationship between private companies and states. This expansion allows for the utilization of Weaponized Interdependence as a framework for a broader set of cases, explaining not only when a network is prone to weaponization but also the limitations states face when they seek to do so.

Verdens rikeste mann har geopolitiske ambisjoner. Derfor bekymrer Twitter-kjøpet.

Elon Musk's involvement in the Ukraine war and take-over of Twitter raise a number of questions and dilemmas (in Norwegian).

Digitale trusler blir kinkig for Norge i Sikkerhetsrådet

(Op-ed in Norwegian): De fleste land rangerer trusler via det digitale rom som en av de største utfordringene for det 21. århundret. På tross av dette har tematikken knapt vært nevnt i FNs sikkerhetsråd. Hva kommer det av? Og kan Norge gjøre noe med det? spør Niels Nagelhus Schia og Erik Kursetgjerde i denne DN-kronikken.

Norwegian cybersecurity: a small-state approach to building international cyber cooperation

As a small, open and highly digitalized country, cyber security is an issue of growing policy importance in Norway. Yet, like other highly digitalized states, Norway has faced difficulties in squaring national cyber security with private business interests and the multitude of actors. Recent years has seen efforts aimed at uniting disparate institutions and organizations into a coherent framework that works.

Managing a digital revolution: cyber security capacity building in Myanmar

Digitalization is exposing developing countries to a growing number of risks as well as opportunities associated with connecting to the Internet. Myanmar stands out as a critical case of both the pitfalls and the benefits Internet connection can bring. Amidst a political transition from military rule to a functioning democracy Myanmar is adding ICT to key areas like banking and e-government. Having been one of the least connected countries in the world only five years ago the country is now connecting to the Internet at an unprecedented pace, with few institutions in place to ensure the transition goes smoothly. The rapid expansion of Internet connectivity is connecting ever more people to an international world of business, discourse, and entertainment, but also crime, subterfuge, and discord. A crucial aspect for development in the years to come will be the harnessing of the benefits, as well as mitigating the downsides that inherently follow in the wake of Internet access (Schia, 2018). In this chapter, we examine the risks and potential benefits of Myanmar’s embracement of digital technologies.

Digital Vulnerabilities and the Sustainable Development Goals in Developing Countries

How does digitalization lead to new kinds of global connections and disconnections in the developing countries? And which role does digitalization play for the UN’s Sustainable Development Goals? This entry focuses on cybersecurity capacity building (CCB) and the sustainability of development processes in developing countries.

Intergovernmental checkmate on cyber? Processes on cyberspace in the United Nations

Cyberspace is an increasingly controversial field on the international agenda. Despite the fact that processes on the thematic have been going on in the UN since 1998, a more significant international agreement is needed on what basic principles should apply in cyberspace. Small states have the opportunity of pushing cybersecurity as a thematic priority in the United Nations Security Council – a path Norway could pursue in its forthcoming 2021–2022 Security Council term. The attribution of the assumed Russian cyber operations toward the Norwegian parliament earlier this year actualizes the addressing of the issue in the Council. The policy brief discusses the GGE negotiations on cyberspace in 2015 and 2017 - and gives policy recommendations on the way forward.

Offensive cyberoperasjoner: Den nye normalen?

Can states retaliate if they get digitally attacked in peace-time? What are states doing and what does international law say about this? What are the potential security implications of an eventual increase in the use of offensive cyber operations?

Hacking democracy: managing influence campaigns and disinformation in the digital age

How are states responding to the threat of using digital technologies to subvert democratic processes? Protecting political and democratic processes from interference via digital technologies is a new and complicated security threat. In recent years the issue has been most prominent in terms of election security, yet the widespread usage of digital technologies allows for the subversion of democratic processes in multifaceted ways. From disrupting the political discourse with false information to inflaming and stoking political divisions digital technologies allows for a variety of ways for malicious actors to target democracies. This article compares different state experiences with interference in sovereign and contested political decisions. More specifically the article compares the Norwegian approach and experience in managing these challenges with those of Finland and the UK. Mapping both how the problem is understood, and the role of previous experiences in shaping public policy.

The role of the UN Security Council in cybersecurity: international peace and security in the digital age

At the 75th anniversary of the United Nations, the UN Security Council is faced with difficult questions about its efficacy, relevance and legitimacy. The leading powers and the permanent members (P5) of the Security Council – China, France, Russia, the UK and the USA – are drawn into a heavy contest over the world order. Power lines are (to be) drawn in an increasingly digital, interconnected and multi-stakeholder society. So far, despite the language from heads of states, global media houses and from leaders of international organizations including NATO and the UN, none of the P5 countries have brought cyber to the UNSC. Other countries – for instance, Lithuania and the Netherlands – have considered introducing cybersecurity issues in the Council, but no action has followed. One of the most recent members-elect, Estonia, has pledged to take the issue up. To stay relevant and act up on its responsibility for international peace and security, the Security Council will have to establish itself vis-à-vis cyber issues. The goal of this chapter is to examine why and how. To what extent do questions pertaining to digital threats and cybersecurity fall within the mandate of the Council and what could it address given the politically tense times among the P5.

The Politics of Stability: Cement and Change in Cyber Affairs

In November 2018, the Global Commission on the Stability of Cyberspace, inaugurated one year earlier ‘to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace’, launched six norms pointing ‘the way to new opportunities for increasing the stability of cyberspace’. However, the Commission has not examined or explained the very concept it was established to explore. Quite the contrary, the Commission argues that its proposed norms will be used to define what cyber stability actually is. Focusing on the interrelationship between international peace and stability, and ways of achieving both in the context of ICTs, the authors will offer a model of stability of cyberspace. They begin by examining the concepts of ‘stability’ and ‘strategic stability’ as understood with regard to international security. This conceptual analysis is followed by a presentation of the political claims of stability expressed in national and international cyber-and information-security discourses. Drawing on the conceptual approaches and the political claims, the report then model the stability of cyberspace in three interlinked and reinforcing dimensions: 1) equal and inclusive international relations; 2) prevention of war: the minimal peace, with emphasis on averting a devastating nuclear war between the superpowers; and 3) the functionality of global and national technical systems and services. After discussing how international law, preventive diplomacy, confidence-building measures, and norms of responsible state behaviour can support cyberspace stability, this report concludes with recommendations for action aimed at helping to create and maintain a stable - resilient and adaptive - cyberspace.

Critical communication infrastructures and Huawei

Recently, there have been growing cyber-safety concerns over telecom equipment made by the Chinese vendor Huawei. This has led many countries to ban Huawei from supplying equipment for building the next generation of mobile networks, 5G. Responses from mobile operators and the telecom community in general have been mixed. For instance, many European mobile operators have stated that these concerns are overblown and that such a ban would delay 5G rollout by two to three years in the best case. Moreover, some operators have directly questioned the ability of the other vendors to timely deliver a complete 5G network. However, these claims have mostly not been grounded in empirical data. This paper takes a multi-perspective approach to investigating this problem empirically. We start by categorizing responses from different countries to using Huawei equipment in 5G. We then analyze the importance and readiness of Huawei for supplying 5G equipment. This analysis is based on contributions to standards and patents. We also present a conceptual risk analysis framework to qualitatively evaluate the ability of a single vendor to cause considerable damage to critical communication infrastructures. This model aims at exploring a set of relevant axis. More specifically, we look at potential for harm in different political climates that is peace, crisis and war. Another axis is whether banning a particular vendor from supplying equipment for the upcoming mobile networks generation is useful without having a backward compatible ban. A third axis is the ability of a vendor to cause harm as a function of the type of supplied equipment, for example radio towers vs network management systems. Combining the analysis of readiness for supplying 5G and potential for causing harm allows us to roughly estimate the likely impact that a complete ban would have on 5G rollout in different parts of the world. We find that such a ban can possibly delay 5G by two years or more for operators with high dependence on Huawei. Consequently, we explore potential approaches that would both reduce vendor-related risk and do not significantly delay the rollout of 5G. These include heterogeneous multi-vendor deployments, equipment verification and testing, international collaboration as well as signing non-aggression treaties. Unfortunately, there is no technological solution that fully remedy this problem. Combining technical solutions with efforts to build trust between countries, enforce existing alignments or create new ones seems a promising way forward.

Finding a European response to Huawei’s 5G ambitions

This policy brief suggests that European countries should institute national reviewing boards overseen by intelligence agencies to vet Huawei equipment. If that is not feasible due to a lack of resources or capabilities especially among smaller countries, European governments should consider pooling resources and create a common reviewing board. This would also prevent duplication of efforts on national levels. European authorities should also demand from Huawei to clearly separate its international from its domestic business operations in order to further reduce the risk to the confidentiality, integrity, and availability of European mobile networks.

Forebygging av krig og konflikt i cyberdomenet

(Available in Norwegian only): Cyberdomenet representerer kanskje en av vår tids største trusler mot internasjonal fred og sikkerhet men er viet lite oppmerksomhet hva gjelder forebyg- ging av krig og konflikt. Det er behov for internasjon- ale forpliktende kjøreregler som hever blikket over IKT-forvaltning, digitalisering og cybersikkerhetstil- tak og fokuserer på fredelige relasjoner mellom sta- ter i cyberdomenet. Skal en slik diskusjon ha effekt må den tas i FNs Sikkerhetsråd.

Military Offensive Cyber-Capabilities: Small-State Perspectives

This Policy Brief provides an overview of the military cyber-defence strategies and capabilities of Norway and of the Netherlands. Comparison of the two different approaches offers insights into their differing tactics and future policy directions. The Brief contributes with a small-state perspective on this malleable and constantly changing field, nuancing the hitherto US-centred debate on the utility and need for deterrence and defence in cyberspace.

Parabasis: Cyber-diplomacy in Stalemate

Governments and industry around the world are working together to bring the next billion users online,1 but their synergies fade when it comes to how to keep online populations safe and secure. Further, the third and fourth billion of Internet users will enter a terrain very different from that available to their predecessors. Vulnerabilities in ICTs as well as de facto exploitation of these vulnerabilities by state and non-state actors has been acknowledged and problematized. Evidence of malicious and hostile operations involving ICTs and the Internet abounds. Uncertain about the true potential of ICTs, governments and users have focused on rules and responsibilities for protecting against cyberattacks, espionage and data manipulation. But where is there an understanding of how to remedy and improve the situation? The first part of this report analyzes and contextualizes the UN First Committee process. The second part offers the authors’ extensions to the theme, analyzing the relative successes and failures of the leading cyberpowers in promoting the world order of their liking. In particular, we analyze how Russia, as the initiator of the First Committee process, has created momentum and gathered support for its calls for specific international regulation and institutionalization of the process on the one hand, and stronger governmental control of the development and use of ICTs and the flow of information on the other. In conclusion, we offer some recommendations for governments wishing to pursue the goal of free and open cyberspace—indeed a rule-based world order. The full text can be read here: http://hdl.handle.net/11250/2569401

International Cybersecurity: Orchestral Manoeuvres in the Dark

Tikk and Kerttunen inform new entrants and nonparticipating governments of the discussions and outcomes of the UN First Committee Group of Governmental Experts (GGE) and discuss prospects for the 2019/2020 GGE. They explain why the Group will not able to provide answers to practical cybersecurity issues facing the majority of states. The authors call states to critically review their reasons for and expectations towards the UN First Committee dialogue on international cybersecurity.

Cyber Security Capacity Building in Myanmar

Digitalization is exposing developing countries to a growing number of risks, as well as opportunities associated with connecting to the Internet. Myanmar stands out as a critical case of both the pitfalls and the benefits Internet connection can bring. Amidst a political transition from military rule to a functioning democracy Myanmar is adding ICT to key areas like banking and e-government. Having been one of the least connected countries in the world only five years ago the country is now connecting to the Internet at an unprecedented pace, with little or no institutions in place to ensure the transition goes smoothly. Using the framework of Cyber Security Capacity Building (CCB) we examine the risks and potential benefits of Myanmar’s embracement of digital technologies.

Managing a Digital Revolution - Cyber Security Capacity Building in Myanmar

Digitalization is exposing developing countries to a growing number of risks, as well as opportunities associated with connecting to the Internet. Myanmar stands out as a critical case of both the pitfalls and the benefits Internet connection can bring. Amidst a political transition from military rule to a functioning democracy Myanmar is adding ICT to key areas like banking and e-government. Having been one of the least connected countries in the world only five years ago the country is now connecting to the Internet at an unprecedented pace, with little or no institutions in place to ensure the transition goes smoothly. Using the framework of Cyber Security Capacity Building (CCB) we examine the risks and potential benefits of Myanmar’s embracement of digital technologies.

Cyber-weapons in International Politics : Possible sabotage against the Norwegian petroleum sector

The use of digital weapons is a rising global problem. Society is rapidly becoming more digitalized – and thereby more vulnerable to attacks. These vulnerabilities are increasingly abused by states and other international actors: Information is stolen, and sabotage occurs. Politically motivated digital attacks against petroleum-sector infrastructure represent one such threat, but this has not attracted as much attention by politicians and business leaders as other security challenges in the sector. In an international crisis, Norwegian oil and gas deliveries to Europe could be attacked on a scale far exceeding what the private and public sectors experience on a daily basis. Such attacks could be aimed at stopping or hindering the physical delivery of petroleum, with direct economic, security and political implications beyond the digital domain.This report examines the issue of digital sabotage of the Norwegian petroleum sector by placing the issue in a geopolitical context, by examining previous cases, and by investigating the current security setup in the petroleum sector.

The cyber frontier and digital pitfalls in the Global South

How does digitalisation lead to new kinds of global connections and disconnections in the Global South? And what are the pitfalls that accompany this development? Much of the policy literature on digitalisation and development has focused on the importance of connecting developing countries to digital networks. Good connection to digital networks may have a fundamental impact on societies, changing not only how individuals and businesses navigate, operate and seek opportunities, but also as regards relations between government and the citizenry. However, the rapid pace of this development implies that digital technologies are being put to use before good, functional regulatory mechanisms have been developed and installed. The resultant shortcomings – in state mechanisms, institutions, coordination mechanisms, private mechanisms, general awareness, public knowledge and skills – open the door to new kinds of vulnerabilities. Herein lie dangers, but also opportunities for donor/recipient country exchange. Instead of adding to the already substantial literature on the potential dividends, this article examines a less studied issue: the new societal vulnerabilities emerging from digitalisation in developing countries. While there is wide agreement about the need to bridge the gap between the connected and the disconnected, the pitfalls are many.

Makt og avmakt i cyberspace: hvordan styre det digitale rom?

A secure cyberspace is a necessity for the functioning of the economic, political and social structures of modern-day society. The stability and development of cyberspace is not preordained, but something that has to be facilitated. Cyberspace is constantly changing and to govern the complex set of interests, agendas and implications multistakeholder initiatives that promote cooperation between the public and private sector and civil society are increasingly put forth as the solution. This form for cooperation is widely seen in the policy community as a panacea for securing cyberspace. While academics have questioned these initiatives’ functionality, few have studied why they do not work in practice. By focusing on the power dynamics between the different actors this article takes a step towards understanding how these dynamics create conflict of interest in governing cyberspace. Through case studies of multistakeholder initiatives on the international level and in Norway, this paper argues that these initiatives are implemented without the necessary preconditions for such a form of governance. This article is published in Norwegian.

Trusselen fra cyberspace

(Op-ed in Norwegian only): Cyberangrep øker i omfang verden over. Norge er et av verdens mest digitaliserte land og dermed spesielt utsatt, men dette blir i stor grad oversett av politikere og næringslivsledere.

Conflict in Cyber Space: Theoretical, strategic and legal perspectives

Adopting a multidisciplinary perspective, this book explores the key challenges associated with the proliferation of cyber capabilities. Over the past two decades, a new man-made domain of conflict has materialized. Alongside armed conflict in the domains of land, sea, air, and space, hostilities between different types of political actors are now taking place in cyberspace. This volume addresses the challenges posed by cyberspace hostility from theoretical, political, strategic and legal perspectives. In doing so, and in contrast to current literature, cyber-security is analysed through a multidimensional lens, as opposed to being treated solely as a military or criminal issues, for example. The individual chapters map out the different scholarly and political positions associated with various key aspects of cyber conflict and seek to answer the following questions: do existing theories provide sufficient answers to the current challenges posed by conflict in cyberspace, and, if not, could alternative approaches be developed?; how do states and non-state actors make use of cyber-weapons when pursuing strategic and political aims?; and, how does the advent of conflict in cyberspace challenge our established legal framework? By asking important strategic questions on the theoretical, strategic, ethical and legal implications and challenges of the proliferation of cyber warfare capabilities, the book seeks to stimulate research into an area that has hitherto been neglected. This book will be of much interest to students of cyber-conflict and cyber-warfare, war and conflict studies, international relations, and security studies.

Teach a person how to surf: Cyber security as development assistance

Much policy literature on digitalization and development has focused on the importance of connecting developing countries to digital networks, and how such technology can expand access to information for billions of people in developing countries, stimulating economic activity, collaboration and organizations. Good connection to digital networks may have a fundamental impact on societies, changing not only how individuals and businesses navigate, operate and seek opportunities, but also as regards relations between government and the citizenry. Instead of adding to the substantial literature on the potential dividends, this report examines a less studied issue: the new societal vulnerabilities emerging from digitalization in developing countries. While there is wide agreement about the need to bridge the gap between the connected and the disconnected, the pitfalls are many, especially concerning cyber security, a topic often neglected, also in the recent World Bank report Digital Dividends (2016). The present report is an attempt at redressing this imbalance.

Lær en mann å surfe

Cyber Security Capacity Building in Developing Countries: challenges and Opportunities

Cyberspace is an intrinsic part of the development of any country. A strong cyber capacity is crucial for states to progress and develop in economic, political and social spheres. The need to integrate cyber capacity building and development policies has been documented by both the cyber community, academia and policy makers. The investment in securing cyberspace affects the success rate of other policy initiatives as well. However, there is a clear need for a deeper dialogue with the development community and recipient countries in order to better understand how to implement cyber capacities in practice in order to achieve broader development goals. To stimulate the debate on cyber capacity building and its impacton social and economic development worldwide this brief puts forward challenges to implementation. The aim is to set priorities and identify indicators of success and failure. To steer this process a better overview of initiatives and avoid duplication, it is necessary to set up the challenges that both the donors and recipients face. By doing this we move cyber capacity building one step closer to successful implementation.

Cyber Security Capacity Building in Developing Countries

Cyberspace is an intrinsic part of the development of any country. A strong cyber capacity is crucial for states to progress and develop in economic, political and social spheres. The need to integrate cyber capacity building and development policies has been documented by both the cyber community, academia and policy makers. The investment in securing cyberspace is crucial, as it affects the success rate of other policy initiatives as well. However, there is a clear need for a deeper dialogue with the development community and recipient countries in order to better understand how to implement cyber capacities in practice in order to achieve broader development goals. To stimulate the debate on cyber capacity building and its on social and economic development worldwide this brief puts forward challenges to implementation. The aim to is to set priorities and identify indicators of success and failure. To steer this process a better overview of initiatives and avoid duplication, it is necessary to set up the challenges that both the donors and recipients face. By doing this we move cyber capacity building one step closer to successful implementation.

The Cyber Frontier

The cyber frontier perspective serves to explicate that the Global South’s participation in digitalization is not simply a matter of joining cyberspace. On the contrary, it is a matter of selective forms of global connection in combination with disconnection and exclusion. I contextualize security concerns by describing the trajectory of digitalization in the Global South. I proceed by exploring how “technological leapfrogging” can create new and unique societal vulnerabilities. By linking digitalization with security and economic growth, cybersecurity is seen in connection with development assistance and the implementation of the UN Sustainable Development Goals (SDGs). Finally, I hold that this triple knot (digitalization, security and economic growht) represents an opportunity for donors such as the EU to foster new types of development assistance building on a continued engagement in the Global South.