BY: BRUCE McCONNELL
Nearly four years ago, U.S. National Security Advisor Susan Rice observed that the world’s “most vexing security challenges are transnational security threats that transcend borders: climate change, piracy, infectious disease, transnational crime, cyber theft, and the modern-day slavery of human trafficking.” To this list, we could add migration, violent extremism and the safety of fissile nuclear materials.
These issues share two characteristics: first, they are accentuated in their severity by modern technology; second, there are no effective international regimes or institutions that have these problems in hand. Of all these issues, increasing the security and stability of cyberspace is near the top in urgency, and will need to be a focal point of the new U.S. administration.
Beyond the everyday news of cyber intrusions, cyber-enabled attacks in the lead-up to the U.S. presidential election have roiled relationships in Washington and globally. What’s new about this case for Americans is its spectacular illustration of the long-stated Russian doctrine that they are in an “information war” with the West. In fact, the Russians do not use the term cybersecurity. They only talk about information security, which makes it tricky to reach cybersecurity agreements with those who do not also license restrictions on speech.
We are experiencing a global cyber arms race led by the United States, Russia, China, Iran, Israel and some European countries, with many others, including North Korea, following close behind. Non-state actors, such as organized crime syndicates and terrorist groups like the Islamic State are also a threat, and rapidly closing the gap.
Given the potential impacts of the deliberate or accidental use of increasingly powerful cyber weapons, it is unfortunate that there are still no binding international agreements in place. By comparison, in international airspace, norms of behavior and international law apply, including identity proofing, filing of flight plans, certification of aircraft, etc.
While there is movement in this area, it remains early days. For instance, a group of governmental cyber experts at the United Nations has worked for over 10 years to draft an initial set of non-binding norms of behavior in cyberspace. Among other things, their recommendations cover the use of cyber technologies for peaceful purposes, a more collaborative approach to combatting cyber attacks, taking responsibility for cross-border cyber attacks emanating from servers in one’s territory, and not using computer incident response teams for offensive purposes.
The corporate sector realizes the imminent threats, and major international companies are also working to develop and promote norms of industry behavior, with a focus on:
- Creating more secure products and services ;
- Preventing states from weakening the security of commercial, mass-market ICT products and services ;
- Practicing responsible vulnerability disclosure ;
- Collaborating to defend customers against and help them recover from serious cyberattacks;
- Issuing updates to protect their customers no matter where the customer is located.
But norms are not enough. In other weapons regimes, self-restraint is leadership. This is not a partisan issue. Indeed, Jack Goldsmith—Assistant Attorney General under George W. Bush—advocated recently that the United States agree “to restrain itself in its activities in foreign networks in exchange for restraint from our adversaries in our networks.” Without such leadership, without emphasizing a degree of global cooperation, the new U.S. administration will not be taking sufficient steps to prevent major accidental or intentional disruptions to global economic and political stability, and thus make the world a more predictable and safe place.