Business leaders who recently convened in Davos for the annual World Economic Forum fretted over the various catastrophes that could hit the globe hard and – given the recent spate of cyberattacks – cybersecurity was high up on the agenda.
The end result was the launch of a Global Centre for Cybersecurity (GCC) with a clear mission to “prevent a digital dark age”. It claims to be the first platform for cybersecurity coordination on a global scale, bringing together governments, business and law enforcement agencies. The importance of cybersecurity is growing not only for traditional computer networks but also for “artificial intelligence, robotics, drones, self-driving cars and the Internet of Things”.
Cyberattacks are like any other crime, except that the origins and reach can be global. Put simply, a cyber criminal in one country can reach out to target victims at the other end of the world. Likewise, a gang of cyber criminals could organise themselves across several countries to target their victims.
It’s the unfortunate reality of the connected world we live in, where the internet doesn’t only provide connectivity but also anonymity and transient access, all of which serve to enable such attacks.
On top of that, parallel structures over the internet – known as the dark web – have emerged to facilitate cyber attacks of all kinds, allowing a black economy to thrive and be marketised.
Most attacks on critical and strategic systems have not succeeded – but the combination of isolated successes with a growing list of attempted attacks suggests that risks are increasing. And the world’s increasing interconnectedness and pace heightens our vulnerability to attacks that cause not only isolated and temporary disruptions, but radical and irreversible systemic shocks.
It’s clear that a globally coordinated approach to cybersecurity is essential.
While this is laudable, there have been similar efforts over the past decade or so – with mixed results. The Budapest Convention on Cybercrime, launched in 2001 by the Council of Europe, was one such attempt to align laws and to enable a key provision of securing digital evidence across jurisdictions to effectively resolve investigations. Harmonisation, however, has been a challenge with competing regional efforts emerging in various parts of the world.
NATO’s Cooperative Cyber Defence Centre of Excellence based in Tallinn, Estonia, is another such effort. It has played a major role in help producing the Tallinn Manual, which is the most comprehensive of international treaties for cyberspace law. Its impact is severely limited, however, because it is strictly an academic study and legally non-binding.
Geopolitics and cybersecurity collide
The quality of a state’s capacity to respond to such a complex problem is rapidly being recognised as an important element of global competitiveness. What, then, could global coordination achieve for effective cybersecurity?
A key aim of the proposed GCC is to work towards an appropriate and agile regulatory framework on cybersecurity. Regulatory alignment needs significant teamwork on global policy at all levels, sometimes from officials with little relevant expertise. They are required – often in time-critical scenarios – to assess evidence from a mix of sources including official threat intelligence, academic sources and industry threat reports.
All of which present policy challenges. How effective is the threat assessment? How good is the risk perception associated with a potential cyber attack? How are consequences judged, particularly in terms of critical and national assets? How does one account for a proportionate response, especially when it is nearly impossible to pin down perpetrators? And, most importantly, how do we shape future policy to address these questions?
The Geneva Centre for Security Policy (GCSP), a leading security thinktank, plays host to an annual student competition to address these questions. Competing teams from all over the world enter the competition and attempt to present a set of viable policy options for each round of the game.
A panel of judges choose winners for each round based on the most appropriate response to a set of cybersecurity threats identified. As rounds proceed, the scenarios escalate becoming more complex. The winning team is the one that demonstrates excellence in deep technical knowledge and international relations skill. It’s an example of a truly global competitive effort. Could such games pave the way for a globally-coordinated capacity building initiative which seeks to allow all members – including the poorest and most disadvantaged – to develop skills and competencies?
Perhaps, but capacity building is only one challenge. How would a global effort serve to resolve national concerns over an overt declarative policy, effective deterrence, guarantee of civil liberty, democratic oversight and use of public-private cooperation for cyberspace? How would age-old political fault lines be resolved in the Middle East and East Asia, which persist across cyberspace? And how would new global cyber conflicts be prevented?
The GCC undoubtedly offers a reasonable proposition to nation states, by urging them to collaborate on overcoming cyber threats in a coordinated way. But for such a noble goal to work, it requires deeper resolve to deliver and a level of national commitment unprecedented over previous efforts. Given the increased global uncertainty, we are yet to have faith.