The last few months have shown a number of signs that cooperation in cyber space is not just necessary, but it is vital for the survival of the Internet as we know it.
There is no need to provide links to all the articles and news stories that talk about the dangers of cyber attacks on the infrastructure in the USA or other countries – you can find plenty of them.
There were stories about Russian authorities speaking on banning Gmail, Skype and other services that use encryption. There were accusations by Google that China has hacked into accounts of US governmental officials. There were stories about the European Union trying to build an EU computer and emergency response team (CERT). And there were stories about hackers getting personal data from Sony, from Citi bank, breaking into the RSA algorithm, etc., etc.
There were also stories about the newly published US Strategy on international cyber space. And there were stories about new legislation, mainly in the US, to deal with the cyber threats. Not talking about the stories telling that the US military may use conventional force to fight with cyber attacks*.
What misses really in these stories is the answer to the question “So, what?” Indeed, having all this information, one may only ask themselves, “What can be done to minimize the damages, deal with the criminals, and at the same time avoid the option of isolating, or even shutting down the Internet?”.
The key word is cooperation.
It is not new – among the first documented attempts of many governments to meet and talk on cybersecurity cooperation is the international meeting in Sofia, Bulgaria in 2003, as you can see here (in English).
One may even note that even the Budapest Convention on Cybercrime is also an attempt by many governments to reach an agreement on how to deal with cyber criminals. Some countries have joined, but some countries have shown lack of desire to even consider joining.
Internet is the hot word in many conversations – there are national, regional and international conferences and conversations going on constantly. People talk about connecting the next billion to the Net, about providing high speed access to developing countries, and about controlling the Internet. Most recently, French President Sarkozy invited a number of Internet geeks and businessmen to talk about the future of the Internet at the last G8 meeting in France.
But what is missing from all these talks, are concrete results.
Every specialist has an opinion, and while they are all trying to navigate between each others opinions, nothing happens. There are powerful business, non-profits and government entities, based in the key countries – US, Russia, China, to name a few, which are competing for the attention of the policy makers, but not much is really happening.
And one might be surprised, that the urging now comes from governments, rather than from the businesses. Big international business seems to not be much interested in encouraging international cooperation in the field of cybersecurity and combating cybercrime.
Governments and parliaments worldwide do exactly the opposite: they regularly come with initiatives, but without the support of the business, and the usual lack of confidence from non-profits, these initiatives can’t really fly.
Of course, some of the initiatives of the governments are also not viable. Recently there have been talks about either trying to push forward the Budapest convention to be signed and ratified by other countries, or that there’s a need of a new Cyber treaty, which should be created under the UN, or perhaps under the ITU. While it is tempting to believe that these options are both good, the reality might prove differently.
The Budapest convention remains still as a monument of the western countries’ desire to somehow both regulate, and take into account the basic human right principles. The UN has shown that it might take ages to reach an agreement on any issue. The ITU has its own internal issues, with increased budget problems, lack of enough expertise, and attempts to change its scope of activities from telecommunications only to include some of the modern technologies, and these alone do not give it enough power to do something “real”, regardless of the desire of the ITU Secretary-General to move the cybersecurity agenda forward.
Bilateral talks are one possible, quick and easy to achieve solution. And while some argue that there is no way to reach bilateral agreements between each and every country, what they miss is, that actually it is not necessary to reach such agreements between each and every country. The good example could come from the main players – China, Russia, USA, EU, but also Turkey, Ukraine, Brazil. And reaching a general understanding on the terms and conditions for an agreement might be very helpful to other countries, which would like to join the efforts of the “big ones”. A possible platform for reaching such agreements might be G8, G20 or the OECD. Alternatively, the OECD could actually prepare the draft framework of agreement to be accepted by any interested state.
Once such agreements are in place, and result in lowering cybercrime traffic between the participating countries, there will be no better example for the others.
While there is no need to go into details right at this moment in what such an agreement might include, there are at least several key issues, which it has to have, among them:
– education and training of law-enforcement, judges, prosecutors in how to combat cybercrime.
Without proper education and training, no matter how good the national or international legal framework is, there will be no success in lowering the level of cybercrime.
– support to national parliaments with legal expertise on introducing / changing the adequate legislation, mainly the Penal / Criminal Code
If cybercrime is not defined in the Penal code, then it is not a crime, so it can’t be punished.
– bringing public awareness.
If the people of a certain country are thinking that cybercrime does not concern them, because they don’t have enough users, or developed credit card system, or because the victims are overseas, that needs to be addressed. Losses from cybercrime are not imminent to the countries where the victims are (today, that’s mainly US and EU), but because of insecure business environment, certain countries are just excluded from the innovation and investment wave.
This article is based on extensive research and communication in the last couple of years.
Some serious efforts in the field of cybersecurity cooperation were made by the US administration in 2003, but the real work started with the Obama administration (with the International Strategy for Cyberspace, the National Cybersecurity Initiative, and back to the first days of his presidency, with the 60-day cyberspace policy review, which produced a number of documents).
The USA efforts were quickly followed by some major countries, and regional organizations, among them attention must be paid to:
– the Shanghai Cooperation Organization and their document (in Russian) on cooperation in ensuring international information security, which was recently ratified by the required four countries, and is now in force.
– the efforts of the European Union to define properly its cyber policy. The EU and European Commission efforts have faced some constraints, but they are moving again slightly, with coming hearings in the European Parliament, and decision to enhance the role of ENISA. One must notice also the work of the GGE (Governmental Group of Experts) – a body that reported to UN Secretary-General on cybersecurity issues. Some of their work is reflected in opinions, expressed by the chair of the group, Russian foreign ministry official Mr. Andrey Krutskikh (see for example here, in Russian).
In summary, there’s a lot of new stuff happening in this area, but the efforts so far are not far reaching to the extent required by the stage of development of the Internet. Losses of online companies grow bigger, but they are addressed mainly through insurance companies and financial institutions. Many consider securing cyberspace as building better firewalls, and enhancing the security of their networks.
* Something I wrote about in 1998, as published in the Bulgarian Military Journal, issue 5. (in Bulgarian, use Google Translate to get the sense)