Even though ordinary citizens around the world are called upon to unite in a Ukrainian cyber army, Royakkers stresses that the stories about individuals at a desk with a computer who are capable of shutting down entire systems are largely a thing of the past. “Governments, agencies and companies have increased their efforts to tighten up cybersecurity. It takes a lot of knowledge and money to successfully carry out a cyberattack and shut down a system. That’s why should be more afraid of state-backed hackers.”

Apart from those direct cyberattacks, the lack of an open, critical information provision poses another serious problem. “War isn’t just about physical battle anymore; we’re dealing with hybrid warfare nowadays. Russia is spreading disinformation on a large scale in an attempt to create doubt and influence opinions online. That seems to be a constant feature of Russia’s battle plan: destabilization, with the aim of disrupting society and undermining the democratic rule of law. Every casualty in a physical war is one too many, naturally, but the consequences of an attack on democracy are immense.”

Hybrid war

What complicates matters, is the fact that cyber or hybrid wars aren’t as well-defined as physical wars, and that it’s more difficult to determine when they start or end, Royakkers says. He co-authored the report ‘Cyberspace without conflict’ a few years ago, on behalf of the Rathenau Instituut, to encourage the public debate on international cybersecurity. “The line between war and peace has become blurred. At the same time, there are no clear guidelines on how to retaliate after a cyberattack, nor is there any clarity on who the enemy is exactly and on what kind of means you’re allowed to use. You can’t tackle these problems with current international law. We are in an extreme situation right now, and the whole world is involved. At the same time, it hasn’t been set down in writing anywhere at what point hackers cross a red line when they launch a cyberattack.”

One of the most important recommendations of the Rathenau report is that international collaboration needs to be intensified in order to increase cybersecurity. In addition, the report calls for clear, international rules for cyberattacks, Royakkers summarizes. “This definitely needs to be a priority within NATO. The current war in Ukraine shows just how important international collaboration is. Trying to come up with the solution on your own is a waste of time and money. Digital security can increase rapidly and significantly if we share our knowledge. Trust plays an important role, because countries need to be willing to share their weaknesses with their allies. New and clear regulations will also make us less powerless and show us how to deal with each other. Right now, we don’t have these international tools to call a country to account.”

Hack or tap

The fact that cybersecurity requires an international approach doesn’t mean that we shouldn’t make demands on our own systems here in the Netherlands, Royakkers stresses. At the same time, he is concerned by the fact that intelligence agencies AIVD and MIVD have called on the government to pass a legislative amendment that will give them more power and, consequently, more information on our ‘adversaries.’ “These intelligence agencies have far-reaching powers already, but they need to ask an independent agency permission first before they can hack a computer or tap into a phone. Without independent assessment, there’s always a risk of abuse of power. We can however work on a more effective, faster system. And since we’re known for our bureaucracy, I believe that there’s a lot to be gained in that respect.”

Apart from international collaboration and regulation, there’s one other way to continue to safeguard our digital security, Royakkers says in conclusion. “Protect the independence of large tech companies such as Google, Apple and Microsoft. They play a vital role in the security of our digital environment and should under no circumstances become an extension of the government. That’s why it’s so encouraging that many large companies joined the ‘Paris Call for Trust and Security in Cyberspace,’ in which they promised never to help governments launch cyberattacks against innocent civilians and companies, and to protect their products against covert campaigns and sabotage. Again: trust plays an important role. In the situation we currently find ourselves in, but certainly also if we hope to de-escalate.”