So far, attacks against computers and other digital systems designed to cause real damage in the physical world (what the military refer to as ‘kinetic effects’) have been rare. The best known is the Stuxnet campaign against the Iranian nuclear enrichment facilities, especially the facility at Natanz. This allegedly joint US–Israeli operation, code-named Olympic Games, targeted the centrifuges essential to the enrichment of uranium, exaggerating their speeds until they broke.³ It is possible that the United States has also launched cyberattacks against North Korea's ballistic missile programme, provoking failures in missile tests.⁴ But, even if the number of cyberattacks with kinetic effects is so far small, the number of broader cyberattacks, and the range of state and non-state actors developing the capacity to launch them, is growing. These cyberattacks can be broadly categorised as cyberwar, cyberterrorism, cyberespionage and cybercrime. In cyberwar, state actors penetrate foreign computer systems with the aim of damaging the systems themselves, using them to create kinetic effects in the physical world or to prepare the ground to launch attacks in the future. In cyberterrorism, non-state groups penetrate computer systems with the intention of damaging the systems or using them to create kinetic effects. Interestingly, we have not yet seen genuine cyberterrorism. Terrorist groups such as Islamic State have undoubtedly recruited internet engineers, but their online activities have so far been limited to cybercrime (bank raids to raise funds) or online information warfare (see below). In cyberespionage, state and non-state actors penetrate systems to steal information (including personal data, data about capabilities and intentions, and intellectual property). In cybercrime, non-state actors (criminals) penetrate computer systems to generate financial income illegally. This might include straightforward theft (the Russian GameOver criminal network simply drained $6.9 million in a single attack) but also the stealing of information to blackmail companies or using ransomware (the same GameOver network is thought to have made over $1 million from ransomware attacks). These distinctions are not watertight. Governments may work with criminals, piggy-backing criminal attacks for cyberwar or cyberespionage purposes.

Apart from attacking computer systems, state actors can use social media and other digital tools to spread information and propaganda. Russia has been accused of using social media such as Facebook and Twitter to influence elections in the US and France and the Brexit referendum in the UK.⁵ Extremist groups use social media to increase social tensions, spread hate messages and recruit members. Concern is growing in the West about the use of social media to spread misleading or distorted information, or sometimes plain lies, increasingly referred to as ‘fake news’. Talk has begun of cyber information warfare.⁶ The EU has created a strategic communication task force (the EU East StratCom Task Force) to counter what it sees as misinformation being spread by state-backed Russian media. Sometimes the use of social media is combined with penetration attacks. During the 2016 US presidential election campaign, Russian hackers penetrated the computer systems of the Democratic National Committee, in particular the emails of John Podesta, which were then released through WikiLeaks. It is not clear what impact they had on the election result, but they did portray a Democratic candidate out of touch with the concerns of ordinary voters.

Cyberspace is a controversial term, with many different definitions. However, it captures the idea of a space parallel to physical space but closely interrelated with it, where digital information and equipment interact. As we have seen, what happens in cyberspace can impact on what happens in physical space. But what happens in physical space also impacts on cyberspace. In as far as cyberspace consists of digital information and equipment designed and built by humans, it is a man-made creation. Its shape and functioning are defined by human decisions, whether state or non-state actors. It grows with every new piece of digital equipment and application. The developing Internet of Things, where everyday household items, cars, and other machinery and equipment are connected to the internet, represents another significant expansion of cyberspace. Putting ‘things’ online in this way increases not only convenience and productivity but also vulnerabilities, both of individuals and of the system. The introduction of fifth-generation mobile telephony (5G) will represent another increase in connectivity and in the scope of cyberspace. But, as a man-made creation, cyberspace needs man-made rules to govern it. Internet governance may not seem as exciting as the cybersecurity issues outlined above, but it is crucial to how the internet and global society will develop in the twenty-first century. How the internet is governed will shape how, and in whose interests, cyberspace operates. The key issues reflect debates in physical space. Who manages the physical structure of the internet? How are online service providers to be regulated, and where do they pay their taxes? Shall the internet be global or national? What is the balance between freedom of expression and the control of extremism and hate speech? How can we protect privacy and individuals’ data, and what are the prices we are willing to pay in economic efficiency and security? How to combat fake news and manipulation of social media? At the core of these debates is a more general point that has nothing to do directly with cyberspace. How can we agree new international rules in a multipolar world where the old Western consensus on international norms and institutions has broken down, and where non-state as well as state actors play an increasingly important role?⁷

This book will focus on cyberdiplomacy. It aims to explore how a diplomatic approach can help resolve or manage the cybersecurity, online information warfare and internet governance problems identified above. Much has been written about digital diplomacy, whether in books, academic journals or more popular blogs.⁹ The nature and importance of digital diplomacy has been, appropriately, much debated through social media. However, very little has been written about cyberdiplomacy (a paper written by André Barrinha and Thomas Renard in Global Affairs sets out the key challenges).¹⁰ In part this reflects a prejudice that sees cyberspace as so different and separate from physical space that only technical solutions apply. If cyberspace is where digital equipment interacts with digital solutions, then digital solutions must be found for the problems that arise there. But in this book I will argue that, as cyberspace is as much a human creation as physical space (in many respects more so), non-technical approaches must accompany technical solutions. Relying only on technical solutions to resolve the governance, security, criminal and espionage issues arising in cyberspace is equivalent to relying only on military solutions in physical space. Cyberdiplomacy must complement technical measures in cyberspace just as diplomacy complements military measures in physical space.

This book will not ignore digital diplomacy completely. Digital diplomacy will feature through offering digital tools which cyberdiplomacy can deploy in pursuing its broader objectives. In this sense, as in many others, cyberdiplomacy is little different from ordinary diplomacy. It is distinguished primarily by being applied to cyberspace rather than the physical space. A theme that will be explored in this book is how much differ...