21 October 2016
Sony Pictures was a recent victim of a breach of cybersecurity. Photo: Bloomberg
Sony Pictures was a recent victim of a breach of cybersecurity. Photo: Bloomberg

Developing international rules of the road for cybersecurity

Last month, the Netherlands hosted the Global Conference on Cyberspace 2015, which brought together nearly 2,000 government officials, academics, industry representatives and others.

I chaired a panel on cyberpeace and security that included a Microsoft vice president and two foreign ministers.

This multistakeholder conference was the latest in a series of efforts to establish rules of the road to avoid cyberconflict.

The capacity to use the internet to inflict damage is now well established.

Many observers believe the American and Israeli governments were behind an attack that destroyed centrifuges at an Iranian nuclear facility.

Some say an Iranian government attack destroyed thousands of Saudi Aramco computers.

Russia is blamed for denial-of-service attacks on Estonia and Georgia.

And in December, US President Barack Obama attributed an attack on Sony Pictures to the North Korean government.

Until recently, cybersecurity was largely the domain of a small community of computer experts.

When the internet was created in the 1970s, its members formed a virtual village; everyone knew one another, and together they designed an open system, paying little attention to security.

Then, in the early 1990s, the World Wide Web emerged, growing from a few million users then to more than three billion today.

In little more than a generation, the internet has become the substrate of the global economy and governance worldwide.

Several billion more human users will be added in the next decade, as will tens of billions of devices, ranging from thermostats to industrial control systems (the “internet of things”).

All of this burgeoning interdependence implies vulnerabilities that governments and non-governmental actors can exploit.

At the same time, we are only beginning to come to terms with the national security implications of this.

Strategic studies of the cyberdomain resemble nuclear strategy in the 1950s: analysts are still not clear about the meaning of offense, defense, deterrence, escalation, norms and arms control.

The term “cyberwar” is used very loosely for a wide range of behaviors, ranging from simple probes, website defacement and denial of service to espionage and destruction.

In this, it reflects dictionary definitions of “war”, which include any organized effort to “stop or defeat something that is viewed as dangerous or bad” (for example, “war on drugs”).

A more useful definition of cyberwar is any hostile action in cyberspace that amplifies or is equivalent in effect to major physical violence.

Determining whether an action meets that criterion is a decision that only a country’s political leaders can make.

There are four major categories of cyberthreats to national security, each with a different time horizon and (in principle) different solutions: cyberwar and economic espionage, which are largely associated with states, and cybercrime and cyberterrorism, which are mostly associated with non-state actors.

The highest costs currently stem from espionage and crime, but the other two may become greater threats over the next decade than they are today.

Moreover, as alliances and tactics evolve, the categories may increasingly overlap.

During the Cold War, ideological competition limited US-Soviet cooperation, but both sides’ awareness of nuclear destructiveness led them to develop a crude code of conduct to avoid military confrontation.

These basic rules of prudence included no direct fighting, no first use of nuclear weapons, and crisis communication, such as the Moscow-Washington hotline and the Accidents Measures and Incidents at Sea agreements.

The first formal arms-control agreement was the 1963 Limited Test Ban Treaty, which can be considered mainly an environmental treaty.

The second major agreement was the 1968 Nuclear Non-Proliferation Treaty, which was aimed at limiting the spread of nuclear weapons.

The United States and the Soviet Union perceived both agreements as positive-sum games, because they involved nature or third parties.

Similarly, the most promising areas for early international cooperation on securing cyberspace are problems posed by third parties such as criminals and terrorists.

Russia and China have sought a treaty for broad United Nations oversight of the internet.

Though their vision of “information security” could legitimize censorship by authoritarian governments and is therefore unacceptable to democratic governments, it may be possible to identify and target behaviors that are illegal everywhere.

Limiting all intrusions would be impossible, but one could start with cybercrime and cyberterrorism.

Major states would have an interest in limiting damage by agreeing to cooperate on forensics and controls.

Of course, historical analogies are imperfect.

Obviously, cybertechnology is very different from nuclear technology, particularly because non-governmental actors can exploit it much more easily.

Nonetheless, some institutions, both formal and informal, already govern the basic functioning of the internet.

The US wisely plans to strengthen the non-governmental Internet Corporation for Assigned Names and Numbers (ICANN) by having it supervise the internet “address book”.

There is also the Council of Europe’s 2001 Convention on Cybercrime, with Interpol and Europol facilitating cooperation among national police forces.

And a UN group of government experts has been analyzing how international law relates to cybersecurity.

It is likely to take longer to conclude agreements on contentious issues such as cyberintrusions for purposes like espionage and preparing the battlefield.

Nonetheless, the inability to envisage an overall cyberarms-control agreement need not prevent progress on some issues now.

International norms tend to develop slowly. It took two decades in the case of nuclear technology.

The most important message of the recent Dutch conference was that massive cybervulnerability is now nearing that point.

Copyright: Project Syndicate

– Contact us at [email protected]


Professor at Harvard University, Chairman of the World Economic Forum’s Global Agenda Council on the Future of Government.

EJI Weekly Newsletter