Last week, Jan Neutze and I participated in a dinner discussion on “Building a Secure Cyber Future” that the German Mission to the United Nations and the Atlantic Council organized for the members of the United Nations Group of Government Experts (GGE) on Developments in the field of Information and Telecommunications in the context of International Security. The GGE is an important entity consisting of 15 designated experts who – while individually appointed by UN Secretary-General Ban Ki-moon – represent the opinions of their countries. For more background on the GGE see the UN Office for Disarmament Affairs and for an overview of existing policy positions and gaps see the recent ICT for Peace issue brief. The current GGE is meeting three times between August 2012 and June 2013 with the aim of developing a set of recommendations related to cybersecurity norms as well as confidence-building, stability and risk reduction measures to address the implications of nation state use of ICTs.
Jason Healey, Director of the Atlantic Council Cyber-Statecraft Initiative shared his views on the “Five Futures of Cyber Conflict and Cooperation” and I talked about the need to build a “Collaborative Cybersecurity Norms”.
Why is a collaborative approach to cybersecurity norms needed? Well to put it quite simply, neither governments nor the private sector acting on their own can fully grasp the scope of change occurring in cyberspace and the implications for security. The world is expected to have over 4 Billion people online by the year 2020, 50 Billion devices and a 50% increase in the amount of data that is being generated. While this creates amazing economic opportunities for countries around the globe, these figures also pose significant challenges which both governments and the private sector will have to address in order to keep the Internet stable, reliable, and secure.
Determining appropriate nation state behavior in cyberspace is a critically important task – and to a certain extent an important government-to-government conversation. But as cyberspace is a shared and integrated domain, on which governments, the private sector and global Internet users all rely on and interact side-by-side the dialogue on “Cybersecurity Norms” should be broadened, and it should certainly not exclude the private sector. In recent testimony before the U.S. Senate, TWC’s Corporate Vice President, Scott Charney, called on the U.S. government to “… insist that the private sector be integrated into these international discussions.” He further opined that the “The private sector creates and delivers the technologies that nation states seemingly now want to exploit to promote their national interests. As a result, the private sector should be involved in domestic and international diplomatic efforts that are intended to curb attempts to militarize the information infrastructure that it designs, deploys, and manages.”
Developing confidence building measures (CBMs) are one important step in the development of consensus building for what constitutes acceptable behavior in cyberspace by nation-state actors. However, it is important the role of the private sector be recognized in the growing international dialogue on cybersecurity norms. After all, it has been non-government stakeholders that developed, refined and operationalized a broad range of confidence building measures and normative behavior for key security issues including vulnerability disclosure management, secure development of code, security incident response, and risk management. Building a public private partnership among those who view the functioning of these systems as essential is critical to the long-term stability, reliability, and security of the Internet and the critical infrastructures upon which we all rely.