Cybersecurity norms development remains an increasingly important international security imperative. In the past year, governments – either through the work done by the United Nations Group of Governmental Experts on Information Security, or by the Group of Twenty’s international forum of 20 governments and central banks from major economies– have elevated their commitment to cybersecurity by proposing norms to address security challenges caused by the exploitation of information and communications technology (ICT) systems.
These proposals vary in their prescriptions, from protecting human rights on the Internet, to preventing use of cyber weapons on critical infrastructures, to putting an end to state-sponsored cyber economic espionage. The fact that governments have come this far is not a trivial matter given the rapid changes in technology, and the fact that governments have reason both to protect and exploit modern ICT systems. But despite the sustained discourse and forward progress, the hard work of developing and implementing cybersecurity norms remains a major international challenge spanning the government and the private sector.
With each set of norms comes a different group of stakeholders with different objectives. Separating these norms into distinct categories will ensure that the right stakeholders align the right norm to the right objective. When examining each of the many individual norms proposals, it becomes clear there are three categories of cybersecurity norms: offensive, defensive, and a set of norms uniquely focused on the ICT industry.
Governments have many objectives, some of which are best achieved through offensive action and others which are best achieved through self-restraint. The adoption of offensive norms (i.e., norms that involve self-restraint) means governments agree not to take certain actions and, as a result, unacceptable impacts do not occur. For example, by refusing to attack critical infrastructures, governments help ensure that civilian activities are not disrupted by militaries using cyber weapons. Similarly, governments must adhere to the positions laid out by the G20 in November and refrain from using ICT networks to steal private sector information for commercial advantage.
There is also a growing convergence around defensive norms, or norms that enable cybersecurity risk management through enhanced defenses and incident response. These norms stem from governments’ acknowledgement that cyber defense is a collaborative exercise, requiring cross-border partnerships and joint action against cybersecurity threats. Because these norms are about cooperation more than self-restraint, a different set of civilian agencies, specifically law enforcement agencies and those tasked with the protection of IT networks (e.g., CERTs), need to focus on their development and implementation. Cooperation also requires sharing information about risks to the ICT supply chain, specifically disclosing details of vulnerabilities to ICT product and service manufacturers.
The development and implementation of offensive and defensive norms should be led by governments. However, in an age where all people are increasingly dependent on ICT systems and there is a marked increase in offensive government cyber activity, the global ICT industry needs to come together as a community, and work with governments, to develop effective norms and provide the technical expertise necessary to assist in their implementation.
Norms are not just for governments. The global ICT industry must also develop and implement norms. The global ICT industry – which has no offensive objectives – must be clear on how it behaves to protect customers. The global ICT industry norms must assure customers that they can trust global ICT platforms. For example, the global ICT industry must be clear that it will not tolerate back doors, it will not withhold patches, and it will address attacks – whatever their source – to protect customers. These norms must be implemented in a manner that increases customer confidence in the global ICT supply chain, as well as send a clear message to governments that our industry will not help exploit, but only protect, ICT users.
Cybersecurity norms development and implementation are complicated endeavors and require both government and private sector cooperation. We call on our colleagues from the ICT industry, as well as forward-thinking governments interested in preserving a safe and secure cyberspace, to work together to develop and implement comprehensive cybersecurity norms that, as appropriate, apply to governments and industry. The norms we define together today will shape the security of cyberspace for decades to come.
This article was first published in The Security Times.