Cybersecurity at the International Level

Commentary | April 30, 2012

Many countries are drafting domestic policies to combat cyber attacks and cyber crime, but the larger question is what can be done on the multilateral level since the digital world routinely ignores national boundaries. One measure of the problem is provided by the 2011 Symantec survey on the scale of cyber crime, showing that the annual cost of cyber crime to individuals in 24 major countries is $114 billion. But, so far, international initiatives are plagued by the lack of agreed upon frameworks, institutions and procedures. Below, a few examples—far from a complete list—of the organizations and initiatives dealing with cybersecurity on the multilateral level:

  • Perhaps the largest player in the international cybersecurity arena is the International Telecommunication Union (ITU). A United Nations organization comprised of 193 UN member states and over 700 private companies and organizations, the ITU seeks to create guidelines and frameworks for international initiatives. ITU facilitates the World Summit on the Information Society (WSIS) and the Global Cybersecurity Agenda (GCA).  It also drafts UN General Assembly resolutions concerning information security and criminal utilization of information technology. ITU initiatives are voluntary and merely provide guidelines, serving as a foundation for customary international law, which means they lack a concrete legal framework. Still, they do serve to raise awareness on cybersecurity issues, which is an essential prerequisite for international action.

 

  • The Asia-Pacific Economic Cooperation (APEC) is a working group of 21 nations, which includes Australia, Canada, China, Japan, Mexico, Russia, Taiwan and the United States. In 2002 APEC created the Shanghai Declaration Program of Action, which illustrates the potential for intelligence sharing and cybersecurity defense through regional partnerships. However, there’s still a lack of clear policy statements to promote cooperation, and the organization has failed to meet the Bogor goals set forth in 1994.

 

  • The European Network and Information Security Agency (ENISA) is a working group tasked with protecting the critical information systems of European Union member states through prevention and reaction to attacks on these critical systems. The prevention measures are focused on raising awareness and information sharing.

 

  • The CERT-EU (Computer Emergency Response Pre-configuration Team) is tasked with responding to cyber attacks on information systems of EU member states. But CERTS often get overloaded with calls and, as a result, responses are frequently delayed. Such delays and call-center overload illustrate the larger challenges of providing adequate funding and member state commitment within this regional organization.

 

  • Cybersecurity is also an issue under discussion within the NATO-Russia Council, as both sides have expressed interest in possible cooperation. However, there are frequent disagreements over definitions, language and terminology.  Russia considers “cyber attacks” to be a military issue while the U.S. sees them as criminal activity. The U.S. uses the term “cybersecurity” and for what Russia calls “information security.” The two countries also have very different notions of what constitutes Internet censorship.

 

EWI’s experiences hosting international cybersecurity summits and leading bilateral Russia-U.S. and China-U.S. efforts have demonstrated that progress on the multilateral level is possible—but also can be hindered by mistrust. To ensure further progress, all sides need to place a greater emphasis on building up trust as they pursue the common goal of a safer, more secure digital world.