International cooperation for cybersecurity is paramount in enabling all countries to make use of developmental potential of the Internet.
The benefits of cyberspace to citizens, businesses and governments are considerable and far reaching. Information and communications technologies (ICT) have enabled innovations that have spurred economic opportunity and growth, enhanced civil liberties and connected people from around the world in new and meaningful ways. The shared and interconnected nature of cyberspace, however, has also created manifold challenges.
While technologies are overwhelmingly created for positive use, they can be — and are being — exploited as well. During a panel on “Cyber Security: The Internet of Risks,” speakers discussed how the integration of military, commercial and civilian communications through common networks and the use of off-the-shelf technology also creates vulnerabilities that can have catastrophic effects. These vulnerabilities threaten not just businesses and individual users but the very stability of cyberspace, too.
While states are leveraging technology to advance intelligence and national security objectives today, non-state actors, too, are deploying the same technologies to undermine democratic processes. The costs of these vulnerabilities have also risen dramatically, with one estimate claiming that crimes in cyberspace cost the global economy $450 billion a year. In a country such as the Netherlands, which is considered the digital gateway to Europe, cybercrime causes a loss of $8–10 billion a year — 1.3 percent of the country’s gross national product.
Experts at Raisina Dialogue 2017 agreed that cybercrime is particularly a major threat to sectors identified under Critical Information Infrastructure (CII). These sectors — which include financial systems, air traffic control and telecommunications, among others — form the bulwark on which a domestic economy rests. They are, however, especially vulnerable to cyber attacks for three reasons. First, all the sectors identified as CII are dependent on connectivity. Debilitating attack on any one system can cause a cascading effect, disrupting the functioning of other systems. Second, CII is highly dependent on industrial control systems, which depend on digital instructions. Any malicious takeover of these systems will not only disrupt but also seize functioning of CII.
Third, many CII, such as air traffic control, is dependent on navigational data, which is especially vulnerable to spoofing. If the integrity of this data cannot be ensured, the input of false data can have disastrous consequences.
The complexity of cyber attacks is on the rise and their sophistication will only increase in the coming decades. Combined with the proliferation of anonymising software, it is becoming harder to investigate cybercrime and trace the origin of malicious codes. Another challenge is in the omnipresence of data and inadequate protection accorded to it.
Localisation of world data to a few jurisdictions has long been a bone of contention among states. Emerging economies such as India, which are net data exporters, feel that storage of national data outside their jurisdictional boundaries hinders investigation of cybercrime. In future, these challenges will only exacerbate with the shift from “security by anonymity” to “security by identity.” As India continues to implement and expand its centralised biometric database, effective governance will depend on securing its domestic networks and data.
Panellists in the session underlined that the Internet is only as strong as its weakest link. International cooperation for cyber security is, therefore, paramount in enabling all countries to make use of developmental potential of the Internet. This requires scripting of new rules, which makes role of international bodies like the United Nations Group of Governmental Experts (UNGGE) critical.
Industry finds legislation very difficult because it tends to tie them down. They can’t innovate so well and you don’t want to kill innovation, you want to encourage innovation. — Uri Rosenthal, Special Envoy for Cyberspace, Ministry of Foreign Affairs, The Netherlands
In 2016, UNGGE published a new document and reconfirmed the application of the international law and the UN Charter into cyberspace. However, there has been a lack of consensus in the interpretation and application of these norms in diverse geopolitical contexts. Moreover, laws both international and domestic can only provide a limited solution. In a dynamic environment like cyberspace, laws struggle to keep pace with the rapidly evolving technology. Instead, a culture of cybersecurity should be developed by fostering cooperation between Computer Emergency Response Teams (CERT) and advocating for stringent cyber hygiene standards in handling of sensitive data.
The focus of policymaking in cyberspace must therefore be on development, defence and diplomacy. Development of domestic capacity to tackle cyber threats through technology sharing and capacity building can serve as a first and effective line of defence against cyberattacks. Further, defensive capabilities must be developed by proactively investing in domestic development of technology, and governments should focus on diplomacy to enable sharing of data for investigation of cyber offences as well as sharing of technologies to strengthen networks.
In the long run, countries need to develop cyber security policies that have both criminal and economical deterrent for offenders. Norms need to be put in place that ensure states do not attack CII in another country during times of conflicts; states cooperate when malicious code originate in other territories; CERTs are not attacked; and intellectual property is not stolen. Acceptance of these norms can lead to greater stability and can promote trust building among nations.
The views expressed above belong to the author(s).