Wanted: Strong Leadership for Secure Cyberspace

In November of last year, the high-profile hacking of Sony Pictures Entertainment resulted in the mass release of confidential information and the disruption of IT systems. This widely publicized event is one of many where a government has been accused of a damaging cyberattack. Therein lies the discontinuity. While cybercriminals of course act in disregard of the common good, governments are supposed to be different. Governments are supposed to protect the national security, public safety and economic prosperity of their own citizens and, even further, they are supposed to promote international harmony, global prosperity, and human rights. Yes, governments sometimes wage war, but even that is subject to international laws and norms (e.g., the Law of Armed Conflict, the Geneva Convention). By contrast, as governments increasingly build – and sometimes use — offensive cyber capabilities, there are no similar agreed-upon norms for exercising self-restraint. They are needed now.

Recognizing the importance of this issue to the long-term safety of the IT ecosystem and our customers, we at Microsoft published two papers describing both the need for norms and concrete proposals for cybersecurity norms. Additionally, some governments, including those with a history of developing offensive capabilities, have recognized the need for norms; just last month, the United States government suggested five principles for ensuring international cyber stability. And at this year’s Global Conference on Cyberspace in The Hague, representatives from governments, the private sector and civil society discussed the development of voluntary, non-legally binding norms for responsible State behavior in cyberspace during peacetime.

Unfortunately, despite the increased recognition that such norms are necessary, reaching an international consensus on what these norms should be and how they can be enforced is difficult. Part of the challenge is that unlike Microsoft, which can focus solely on the security of its customers and the larger IT ecosystem, governments around the world do engage in both defense and offense. Indeed, the media is replete with stories of countries engaging in economic, diplomatic and military espionage, as well as surveillance. Many of these attacks target commercial off-the-shelf IT products, the same products relied upon by billions of people for every aspect of their lives. This means that attacks against such products, if not sufficiently restrained, may cause widespread harm.

With this in mind, some norms seem particularly important. First, governments should not insert vulnerabilities (backdoors) in generally available IT products and services, as this puts the entire IT ecosystem at risk. Second, governments should have a clear principle-based policy for handling product and service vulnerabilities, optimizing for the protection of computer users. Third, cyber weapons, if used, should be limited and precise; governments should not degrade or disable critical infrastructures on which civilians rely. Put another way, governments must avoid causing a mass event with potentially devastating consequences, such as destroying the power grid or disabling a telecommunications infrastructure that is frequently used for, among other things, calling police or fire departments. Finally, if and when such damaging civilian attacks do occur, nation states should take steps to help the private sector and other governments detect, contain and respond to the event.

European governments should act now

For these types of norms to be meaningful, it is important that they be debated thoroughly and adopted broadly. Yet the EU has been largely absent from global debate about how to develop effective, concrete and coherent cybersecurity norms. The EU’s lack of representation in fora such as the United Nations Government Group of Experts (GGE) on cybersecurity is notable in this regard. But the EU, if it engaged, could be hugely helpful in a number of ways. Its broad governmental representation, combined with its ability to engage with other stakeholders in the public, private, and academic sectors, would add considerable expertise to the discussion. Moreover, by participating in the establishment of norms, the EU would be increasing trust and openness among its own member states and around the world, helping it to achieve the ambitious goals of its cybersecurity strategy. Simply put, the EU could speak with one voice and help develop a more stable, peaceful and prosperous global cyberspace.

Developing cybersecurity norms is emerging as a fundamental normative challenge of the 21st century and the EU – both its Institutions and its Member States – should take a more active role in shaping this global debate. European countries have played an important role in international norms development in the past, and they have a critical role to play in developing cybersecurity norms for tomorrow.

This article was first published on POLITICO.eu

Tags: