Last week, U.S. Secretary of State John Kerry proposed five basic principles of global Internet regulation for universal adoption, an initiative I can only applaud. He was speaking at Seoul University in South Korea. Here are the principles:
- No country should conduct or knowingly support online activity that intentionally damages or impedes the use of another country’s critical infrastructure;
- No country should seek either to prevent emergency teams from responding to a cybersecurity incident, or allow its own teams to cause harm;
- No country should conduct or support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information for commercial gain;
- Every country should mitigate malicious cyber activity emanating from its soil, and they should do so in a transparent, accountable and cooperative way;
- Every country should do what it can to help states that are victimized by a cyberattack.
There could (and should) be some discussion as to the exact wording of such basic rules. For example, one could question what exactly is defined as ‘critical infrastructure’; or ask whether the proposed rules would ‘ban’ cyberattacks like the one on Sony Pictures – despite the entertainment industry hardly being a part of critical infrastructure. I don’t fully understand whether these rules permit stealing intellectual property under the pretext of national security, not ‘for commercial gain’. Still, generally, universal adoption of any framework of such a kind is a step forward, and we need it… yesterday. I’ve been advocating such a global agreement for many years, for example here, here and here.
The major problem the world is facing online is that the number of countries joining the club of those having cyber-espionage capabilities is growing. And for government-backed hackers – no matter where they come from – the Internet is a lawless land, a digital Wild West with virtually zero liability for committing crimes like developing and distributing malware, breaking into private and public networks, stealing data or causing damage.
My company has investigated a number of advanced persistent threat (APT) attacks, and they only get stealthier, more dangerous and, regrettably, more widespread. More and more public money all around the world is invested in developing malware and sophisticated attack techniques. It’s already turning into a cyberarms race, though it’s one largely concealed from the public eye.
A very significant issue with our networks and computerized devices today is that they are fundamentally vulnerable and hackable. Software that consists of many millions of lines of code, plus the various protocols used for applications, machines and computers to communicate among themselves, are not secure. Of course, it’s possible to build up super-defenses to make a successful cyberattack prohibitively expensive and technically challenging to carry out, but even such drastic (and expensive) measures do not make intrusions impossible. Traditional physical bank vaults are probably more relatively secure than virtual vaults in the digital domain, but all the same, no matter how thick their walls, valuables do still get stolen from them now and again, like a few months ago in London. Imagine nation states actively sponsoring the development of bank-robbing technologies. But on the Internet, something like that is already happening. And it’s throwing stones when in a glass house. And it’s both amazing and frightening how many supposedly responsible countries do it.
Sophisticated government-backed cyberattacks already cause significant damage, not only to their targets, but also to Internet development in general. They put it at risk of fragmentation – a divvying up along the lines of national borders, a prospect that would cost the world dearly, including in economic growth and other opportunities. Example: Countries fearing that their critical infrastructure and digital assets might be at risk from foreign adversaries are tempted to build new expensive walls online to protect themselves.
I believe that fundamentally all the countries involved in this cyberarms race would rather have a safe and secure Internet. But since they don’t trust each other, the idea of unilateral cyber-disarmament would hardly become popular with the militaries and intelligence bodies of any of them. In this situation any small step forward to rebuilding global trust would be a positive one. There’ll be no absolute safety on the Internet in the foreseeable future, simply because global cybercrime continues to grow. But governments shouldn’t be making it even less secure.
There are a large number of rules that regulate offline warfare at the international level. Treaties that banned the development and use of chemical and biological weapons, the nuclear non-proliferation treaty, and Geneva conventions protecting non-combatants and prisoners of war have not stopped wars occurring. But they arguably do help limit the damage caused by wars to some extent. A similar treaty regulating the cyberworld would not stop cyber-intrusions or espionage. But we badly need clear rules of the game that would help establish an acceptable level of security online. This is why I think John Kerry’s initiative on behalf of the U.S. administration is so valuable and important.
