Cyber space’s international friends
|Jan 24 2013|
|VERTIC Blog >> Verification and Monitoring|
Larry MacFaul and Katherine Tajer, London
Cyber security is now a key priority in many countries’ national policy agendas and its importance to states will continue to grow into the foreseeable future. The fundamentally transboundary nature of cyber space means that a considerable portion of government, and other stakeholders’, efforts needs to be put into identifying and agreeing to rules of the road that enable the opportunities cyber space has to offer to be fully realised and its potential for disruption to be minimised.
Cyber space pervades nearly all aspects of modern society and increasingly underpins government activities, military planning and operations, industrial and civil infrastructure, as well as business growth and transactions. It is already a dominant mode of social communication and interaction. And in addition, much of the infrastructure that cyber space is based on is owned and run by the private sector. This means that there are a lot of players in the field with significant interests and clout.
It also means that there are a numerous challenges ranging from cyber attacks on critical civil and military infrastructure, disruption of financial services, and theft of intellectual property as well as the potential for stifling freedom of expression, association and innovation.
Each country’s policies, ideologies and culture can profoundly affect the way they view cyber space, and how they believe it should be used. These differences in position affect governments’ positions in discussions on how to manage the cross-border characteristics of the internet.
Two other features of cyber space require the international community to get innovative, and quickly: its ability to convey attacks across borders at speed—and for the perpetrators to hide their identity—challenges conventional defence planning, and, at a more general level, the sheer pace of change in the cyber field can make it hard for governments to formulate and implement appropriate policies in an useful timescale.
If we are to generate practical and actionable ideas on how to move forward, it is going to be important to break down the various issues into their constituent parts—without, however, ignoring the links, dependencies and relationships that necessarily make up cyber space. For facilitating international discussions on these issues, it will be important for countries to have good mechanisms and forums to enable them to reach common understandings and agreed approaches.
Several regional and international processes are already underway, and their work continues in 2013 and beyond. Below is an outline of some of the main processes supporting international talks and generating ideas for how to move forward.
At the UN level, two Groups of Governmental Experts have been in action. The first group convened in 2004-2005, and in 2010 a new group met to revise several resolutions. This group has been ordered to reconvene in 2012 and to report to the 68th General Assembly in 2013. This is likely to be an influential forum.
The Budapest Convention on Cybercrime, first written in 2001, remains the only operational international agreement on cybercrime. This convention asks its signatories to adopt national legislation that criminalizes cybercrime, and attempts to harmonize international legislation in order to prosecute cross-border crime. However, US ratification of the convention was controversial in the US Senate and among the media, and the membership as a whole remains fairly limited at only 32 parties. This number does however include many of the counties with higher levels of digital take-up but lacks participation from key players Russia and China.
At the regional level, NATO has developed a ‘New Strategic Concept’, in 2010, as part of the Lisbon summit. The paper contains measures for strengthening cyber-defence capabilities. It includes information on operational requirements and new NATO bodies established to coordinate cyber defence within NATO and to liaise with the other regional and international bodies. A ‘Cooperative Cyber Defence Centre of Excellence’ in Estonia was accredited as a NATO CoE in 2008 and conducts research and training on cyber defence.
The OSCE is also active in the field. It established a working group focused on developing a set of confidence building measures (CBMs) for states with a focus on transparency instruments such as exchanges of contact information for key bodies and exchanges of data. It also recently hosted a conference (in 2012) on Internet Freedoms and Governance.
For its part, the EU External Action Service is working on a cyber-security strategy for the region. And in the east, the Asia Regional Forum (ARF) has hosted a series of cyber-related seminars, and has sought to draft CBMs too. In July 2012, the ARF ministers made a statement on cybercrime that included calls to promote dialogue on cooperation, confidence-building, stability, and risk reduction measures in the use of ICTs and cyber security.
London and Budapest have hosted a large international conference on cyber space. The 2011 London conference, which was inaugural meeting, had over 700 delegates representing 60 countries in attendance. The UK Foreign Secretary William Hague spoke at the event saying ‘The spread of connectivity between individuals, governments and organisations is bringing benefits and opportunities on a vast scale.’
But he added the following caution and call for action: ‘As all our societies become more wired-up and technologies converge, the scope for malignant activity will widen alongside the many advantages, whether it is the theft of intellectual property or the spread of malware and viruses. It will become harder to protect our users or to prevent our defences from being swamped. Furthermore it is increasingly clear that countries with weak cyber defences and capabilities will find themselves exposed over the long term; at a serious strategic disadvantage given the apparent rise in state-sponsored attacks. So if we want a future in which the benefits of the digital age are expanded to all peoples and economies of the world, and the risks minimised as much as possible, then we need to act to achieve that. I believe we must aspire to a future for cyberspace which is not stifled by government control or censorship, but where innovation and competition flourish and investment and enterprise are rewarded.’
Independent bodies are also contributing to the debate. Last year, VERTIC collaborated with UNIDIR and Chatham House in hosting a conference on cyber security at the UN in Geneva. The meeting addressed ‘Confidence Building Measures in Assuring Cyber Stability’. It gathered over 100 participants from governments, intergovernmental bodies, NGOs and the private sector. The agenda examined technical and political challenges to cyber stability and heard countries’ perspectives on what a stable cyber environment might look like.
And, at the operational level, it’s important to consider the ongoing work of the International Telecommunication Union (which has over 193 member countries and 700 private and academic members) and ICANN - the Internet Cooperation for Assigned Names and Numbers who carry out key activities in maintenance of communication technologies.
The above forums and bodies do not constitute an exhaustive list of the processes working towardseffecting an open and stable cyberspace in which countries and their citizens can interact and innovate. But they do provide a picture some of the key mechanisms in use by governments and other stakeholders at the moment. We are likely to see even more activity and, hopefully, outcomes in 2013 and beyond.
Last changed: Jan 25 2013 at 1:58 AMBack