Working Together to Limit Cyber-Danger

To address cyber-threats, nations need to work together to draw up rules that protect us from two kinds of harm: aggressive states and non-state actors using the Internet for malicious purposes.  At present, there’s a lack of trust between established and rising powers and the rest of the world.  Thus, international bodies can be helpful to bridge that mistrust and to solve some of the challenges.  Those international bodies should integrate input from non-governmental experts both from the private sector and the NGO community.  All these parties need to move quickly. Without clear norms and rules, cyberspace is used by actors as they see fit creating precedents and practice.  Tim Maurer, a Program Associate at the Open Technology Institute, discussed this challenge in a recent appearance 10^th biennial International Security Forum   during his panel "Cyberwar: Roles and Responsibilities of International Organizations."  Here's a summary of his remarks.  

Hillary Clinton in one of her last speeches as Secretary of State said about the times we currently live in, “we are trying to write a new answer to the age-old question of what happens when an established power and a rising power meet.” This systemic shift had been the focus of several presentations by previous speakers at the conference who also described a high level of mistrust between these powers currently.

We are not only witnessing a systemic shift in international affairs but also the rise of a new technology - the Internet, or if we want to capture the whole universe of networks, cyberspace. This new technology adds to the uncertainty in the international system because it remains unclear how it would even affect international relations in a stable system, not to mention one that is going through a systemic shift. This challenge is not limited to the US and China alone but affects everyone. Currently, only a third of the world has access to the Internet but the remaining two thirds are likely to follow soon.

The role of international organizations in this context depends on what we think about international organizations. Are they only fora for governments to discuss, or do they have a life of their own? Are they merely structure or agents themselves? A significant body of literature led by scholars such as Michael Barnett and Martha Finnemore shows that international organizations have lives of their own based on their expertise and moral authority. They help classify the world and provide meanings. International organizations therefore generally do matter and are useful. This includes traditional intergovernmental organizations such as the United Nations but also institutions such as the International Organization for Standardization or more modern networked international organizations such as ICANN.

There are two main ways international organizations can play a role when it comes to affecting cyber-security: one focuses on the technical aspects, the other on human behavior. Cyberspace is unique in this aspect compared to other spheres of human interaction. To borrow the chessboard analogy, for land, sea, air, and space the design of each chessboard is already determined. It is basically impossible to change the shape of continents or oceans. We cannot move mountains or a strategically placed island. Any effort therefore focuses on how to influence the rules of the game but not the game board itself. In cyberspace, the latter is also possible and the physical infrastructure, the protocol, or the content layers can be altered affecting actors and their actions. That is the technical dimension and why international organizations focusing on setting technical standards are particularly important when it comes to Internet policy.

The behavioral aspect and the development of norms has been the focus of international organizations for decades across a variety of issues. This includes cyber-security. There have been calls for an international treaty, and Russia and China have been promoting a draft International Code of Conduct for Information Security. Russia has even developed a draft convention. However, there are no universally accepted definitions for key terms such as information security and whether or not they include content. Apart from such political considerations, there are also fundamental questions regarding monitoring and enforcing any international agreement in the digital age. For example, Professor Michael Glennon at Tufts University made an interesting observation in a recent paper on international cyber-security regulation explaining that arms agreements are usually based on an assessment of other parties’ military capabilities to determine to what degree such an agreement would freeze in advantages or disadvantages if adhered to. He emphasized, however, that cyber capabilities are so secretive and concealed, that a capability assessment is highly speculative.

If anything, the tone has become even tenser. Last December, Russia decided at the very last minute to object to a resolution outlining a set of confidence building measures the Organization for Security and Cooperation in Europe had developed and finalized for adoption by its 57 member states from Central Asia, Europe, and North America. Shortly thereafter the World Conference on International Telecommunication in Dubai revealed a schism in the international community on Internet Governance. And the rate of adoption of the Convention on Cybercrime remains low in spite of its entering into force in 2004 while the recent accusations between the US and China have sharpened the tone in this key bilateral relationship.

International organizations have been the fora for these negotiations and debates, but away from the spotlight of the media they also contribute to a more mature classification and fixing of meanings relating to this new technology and its effects on international affairs. A variety of international organizations have been providing input to this process. The International Committee of the Red Cross (ICRC), for example, offers its own definition of cyber warfare as “means and methods of warfare that rely on information technology and are used in the context of an armed conflict” and also points out that the Geneva Conventions apply offline as well as online. In 2009, a working group under the UN Security Council found that “cyber-terrorism’ was not a current threat after years of debate. An independent group of experts looked into how international law could be translated to cyberspace for the NATO’s Cooperative Cyber Defence Centre of Excellence. And the UN Institute for Disarmament Research has published a report documenting the development of cyber-security doctrines worldwide. These contributions also shape the understanding and decisions of policy-makers and the decisions they take.

Cyber-security raises a number of fundamental questions and big new challenges. To focus on what is new, existing international agreements should be considered to apply online as well as offline shifting the focus to potential gaps and what is not adequately covered. For example, a group of governmental experts at the United Nations has been examining this issue and will hopefully affirm that international humanitarian law applies online as well as offline. Such an affirmation will be a useful first step and enable states to focus on other issues such as the range of activity just below the threshold of the use of force and an armed attack. Other international organizations have been the host and guardian of other useful existing mechanisms.

Including external experts to discussions at intergovernmental organizations is also necessary. This includes private companies as some have already argued as well as NGOs including the ICRC. The Arria Formula used by the Security Council back in 1992 offers a useful precedent to emulate. Such experts provide not only independent expertise but in the current climate of high levels of mistrust could potentially also play the role of deus ex machina helping bridge mistrust among states by providing independent assessments, for example, on mutually faced problems.

International organizations can use their legitimacy through moral authority to be a voice of caution and reason. The recent attack against South Korean financial institutions and the subsequent efforts to find the perpetrators are a powerful reminder how hard it is to solve the attribution problem and the risk of false accusations. In this case the IP address of a financial institution’s intranet was mistaken for a public IP address in China. An international organization endowed with sufficient technical expertise and resources by the international community could help manage such incidents.

Last but not least, with two thirds of the world yet to access the Internet, sharing best practices and lessons learned on how to enable more secure access for new users will be increasingly important. The UK government recently announced the creation of a Global Centre for Cyber Security Capacity Building based at the University of Oxford. In addition to universities, international organizations have always been hubs for capacity-building to collect knowledge from countries around the world and to develop staff to share that expertise. This will require expanding the focus beyond traditional intergovernmental organizations of the UN system to the institutions that have emerged with the Internet and represent a modern networked form of organization such as the IETF, ICANN, or the Internet Society with its local chapters. They constitute not only additional but novel forms to disseminate useful information and to build capacity.

Older international organizations such as the United Nations can help address new challenges while younger international organizations such as the Internet Society can help solve old problems.

The audio recording of the panel “Cyberwar: Roles and Responsibilities of International Organisations” is available here. The ISF Panel Summaries are available here.

This post originally appeared on In The Tank, a blog from the New America Foundation.