Today I will speak at George Washington University on a panel discussing the development of International Cybersecurity Norms.
Developing cybersecurity norms is difficult process but essential for the future of cyberspace. For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals and organizations (including nation-states), and craft appropriate responses. Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will be successful in attacking systems, especially if raising defenses is the only response to an attack.
Addressing cybersecurity threats is hard for many reasons, I outline six of these in my paper on “Rethinking Cyber Threat – A Framework and Path Forward”, but let me highlight 3 that are especially hard for governments as they try to think through international security challenges related to cybersecurity.
· The Internet is a shared and integrated domain. It is shared by citizens, businesses, and governments in a manner that makes it difficult to segregate one group from another. Free speech, commercial transactions, espionage activities, and cyber warfare may be occurring in this shared and integrated domain, all at the same time and over the same transport medium. With a limited ability to parse actors and activities, tailored responses to specific threats are extremely hard to craft.
· The potential consequences of an attack are very difficult to predict. Certain nefarious activity such as network scans or unauthorized system access may be a prelude to information theft, a data integrity breach, or a disruption of service. Moreover, the complex interrelationships between systems suggest that there may be unanticipated cascading effects, some which may be more severe than even the intended effect. Finally, while some attacks may be obvious (for example, a denial of service attack against a critical infrastructure) and generate a quick response, other attacks may be hard to detect. Much has been written about the exfiltration of data from sensitive systems; a more disconcerting scenario might be a alteration of critical data. Not only can this be difficult to detect, but it may be difficult to discern when the data was changed without authority, thus making it difficult to “roll back” to a known good state.
· The worst-case scenarios are alarming. In the popular press, policy space, and think tanks, these scenarios include disrupting critical infrastructure services, impeding key economic functions, or imperiling public safety and national security. The complexity of these scenarios, which results in part from massive interconnectivity and dependencies between systems that are not always well understood, has made it difficult to develop a consensus regarding the probable consequences of an attack. As for our ability to recover quickly from such an attack, society’s increasing dependence on information technology systems and the data they contain may mean that there is no longer an existing manual process with trained people to fall back on.
These challenges and the rapidly changing threat landscape has also raised concerns about the dangers of potential conflicts in cyberspace. According to the United Nations, there are more than 30 countries that have developed doctrine related to the use of cyberspace and some have developed cyber defense centers.[i] In response, there has been a substantial increase in government to government dialogue related to international cybersecurity.
To date, most of these international discussions have been largely between governments. Governments should work together to build effective norms ensuring that nation state behavior in cyberspace does not erode the fundamental trust and security mechanisms of the Internet. But these conversations would also benefit from private sector perspectives, including the technical challenges and priorities involved in securing billions of global customers.
Industry creates and operates most of the infrastructure that enables cyberspace. Industry also continues to innovate and build best practices and technical cybersecurity norms including: vulnerability disclosure management, secure development, security incident response, and risk management. Many of these topics are relevant for those public-private partnerships managing cybersecurity risk at the national level. However, such partnerships are often limited by national boundaries. As governments continue to evolve their views on cybersecurity and normative behavior in cyberspace, creating international public-private partnerships can help ensure resiliency of infrastructures and agility in responding to complex cybersecurity events.
In 2009, I recommended that nation states needed to address cybersecurity challenges related to economic espionage and cyber conflict and specifically called on them to address:
· Economic espionage and other areas of philosophical disagreement. There must be international discussions leading to the establishment of norms that are then enforced through national policies and international organizations.
· Cyber conflict issues. Countries must first develop domestic positions on what the rules for this new domain should be, taking due care to recognize the shared and integrated nature of the domain. Then there must be an international dialogue designed to create international norms for cyberspace behavior. Creating these norms will be as difficult as it sounds, but it is still both necessary and, ultimately, unavoidable. Absent such an agreement, unilateral and potentially unprincipled actions will lead to consequences that will be unacceptable and regrettable.
I believe these topics are even more relevant today. Governments and the private sector must work together to understand and build meaningful cybersecurity norms. Moving forward, we call upon (1) the private sector building and operating the infrastructure of cyberspace to work together with governments as they develop a collaborative approach to cybersecurity norms; and (2) governments to work with private sector leading to the 2013 Seoul Conference on Cyberspace and beyond.
[i] James A. Lewis, Katrina Timlin “Cybersecurity and Cyberwarfare 2011” UNDIR Resources 2011 http://www.unidir.ch/pdf/ouvrages/pdf-1-92-9045-011-J-en.pdf