Why we need new rules to deal with cyber (in)security

Last weekend, I had the pleasure of joining over 500 political leaders, diplomats, academics, civil society representatives and tech industry colleagues, at the 2017 Munich Security Conference (MSC). As was to be expected given the recent installation of a new U.S. administration, the future of the transatlantic relationship dominated conference discussions – but I was surprised at how the topics of cybersecurity, and insecurity, kept coming up over and over again.

Cybersecurity concerns have escalated into one of the central security policy issues of our time, with serious implications for the stability of our economies and social structures. Recent incidents of state hacking and doxing, as well as the distribution of fake news, have raised awareness and concerns to new levels.

Forty nations are currently known to be developing offensive cyber capabilities, reinforcing the urgent need for international rules for cyber actions, whether in war or peacetime. Microsoft has been one of the most vocal companies advocating for cybersecurity norms to govern state actions – we’ve come up with proposals for such norms for both the public and private sectors. And just last week, at the RSA Conference in San Francisco, Microsoft’s President, Brad Smith, called for a Digital Geneva Convention to protect civilians on the Internet in peacetime.

While at MSC, Microsoft hosted a discussion entitled “Cyber Influence, Attack, and Integrity – The Need for Norms of State Behaviour in Cyberspace,” moderated by my colleague Jan Neutze. I had the pleasure of introducing former U.S. Secretary of State, Madeleine Albright, who spoke on the topic, followed by a delegation of international panelists united by their expertise: former U.S. Secretary of Homeland Security, Michael Chertoff; the former Foreign Minister of Estonia, Marina Kaljurand, and Julian King, European Commissioner for the Security Union.

The principle of integrity was central to the discussion. It doesn’t just mean sticking to a code of values – something very pertinent in the context of defining acceptable behavior in cyberspace – it also defines “a state of being complete or undivided”.

This isn’t only about keeping cyberspace safe in the face of escalating threats. It’s about ensuring that all actors are united in their determination to protect citizens online. We should all lend our support to the recently launched Global Commission on the Stability of Cyberspace, an organization which will be entirely dedicated to developing policies that can improve security in cyberspace.

So where do we go from here? I think the answer lies in strong engagement from all; whether around agreeing to norms of conduct and building the capacity to enforce them, or finding ways to address the challenges of attribution and deterrence. A global agreement should create mechanisms to foster cooperation on attribution and hold perpetrators of attacks accountable.

We can learn from and build on the work of international legal experts whose recently published Tallinn Manual 2.0 is a very timely and valuable contribution on how existing international law applies to cyberspace.

Defining the parameters for state actions deserves broad and thoughtful discussion to find agreement where we can. Constructive and collective dialogue is the only way to progress. There was an overwhelming consensus in Munich that nation states should not be interfering with each other’s electoral processes, be it around balloting, counting, or reporting. It may be harder to reach agreement in other areas.

However, I did get the sense from almost all attendees at MSC that, now more than ever before, it is vital that we demonstrate a commitment to international cooperation, in particular to the historically-significant relationship between Europe and the United States, and to reducing cyber insecurity. In times of uncertainty, we should aim for more unity, not more division.

John Frank
Vice President for UN Affairs