Global security and stability are increasingly dependent on digital security and stability. The scope of threats is growing. Cyber capabilities are developing, becoming more targeted, more impactful on physical systems, and more insidious at undermining societal trust.
“Cyber-attacks” and “massive data fraud and threat” have ranked for two years in a row among the top five global risks listed by the World Economic Forum (WEF). More than 80% of the experts consulted in the WEF’s latest annual survey expected the risks of “cyber-attacks: theft of data/money” and “cyber-attacks: disruption of operations and infrastructure” to increase yearly.
Three recent examples illustrate the concern. In 2016, hackers stole $81 million from the Bangladesh Central Bank by manipulating the SWIFT global payments network. In 2017, malware called “NotPetya” caused widespread havoc – shipping firm Maersk alone lost an estimated $250 million. In 2018, by one estimate, cybercriminals stole $1.5 trillion – an amount comparable to the national income of Spain.
Accurate figures are hard to come by as victims may prefer to keep quiet. But often it is only publicity about a major incident that prompts the necessary investments in security. Short-term incentives generally prioritize launching new products over making systems more robust.
The range of targets for cyber-attacks is increasing quickly. New internet users typically have low awareness of digital hygiene. Already over half of the attacks are directed at “things” on the Internet of Things, which connects everything from smart TVs to baby monitors to thermostats. Fast 5G networks will further integrate the internet with physical infrastructure, likely creating new vulnerabilities.
Other Existing Initiatives on Digital Security
- The Paris Call for Trust and Security in Cyberspace is a multi-stakeholder initiative launched in November 2018 and joined by 65 countries, 334 companies – including Microsoft, Facebook, Google, and IBM – and 138 universities and non-profit organizations. It calls for measures including coordinated disclosure of technical vulnerabilities. Many leading technology powers, such as the USA, Russia, China, Israel, and India, have not signed up.
- The Global Commission on Stability in Cyberspace, an independent multi-stakeholder platform, is developing proposals for norms and policies to enhance international security and stability in cyberspace. The commission has introduced a series of norms, including calls for an agreement not to attack critical infrastructure and non-interference in elections, and is currently discussing accountability and the future of cybersecurity.
- The Global Conference on Cyberspace, also known as the ‘London Process’, are ad hoc multi-stakeholder conferences held so far in London (2011), Budapest (2012), Seoul (2013), The Hague (2015), and New Delhi (2017). The Global Forum on Cyber Expertise, established after the 2015 Conference, is a platform for identifying best practices and providing support to states, the private sector, and organizations in developing cybersecurity frameworks, policies, and skills.
- The Geneva Dialogue on Responsible Behaviour in Cyberspace provides another forum for multi-stakeholder consultation.
- The Cybersecurity Tech Accord and the Charter of Trust are examples of industry-led voluntary initiatives to identify guiding principles for trust and security, strengthen the security of supply chains, and improve the training of employees in cybersecurity.
The potential for cyber-attacks to take down critical infrastructure has been clear since Stuxnet was found to have penetrated an Iranian nuclear facility in 2010. More recently concerns have widened to the potential risks and impact of misinformation campaigns and online efforts by foreign governments to influence democratic elections, including the 2016 Brexit vote and the American presidential election.
Compared to physical attacks, it can be much harder to prove from which jurisdiction a cyber-attack originated. This makes it difficult to attribute responsibility or use mechanisms to cooperate on law enforcement.
Perceptions of digital vulnerability and unfair cyber advantage are contributing to trade, investment, and strategic tensions. Numerous countries have set up cyber commands within their militaries. Nearly 60 states are known to be pursuing offensive capabilities. This increases the risks for all as cyber weapons, once released, can be used to attack others – including the original developer of the weapon.
As artificial intelligence advances, the tactics and tools of cyber-attacks will become more sophisticated and difficult to predict – including more able to pursue highly customized objectives and to adapt in real-time.
Many governments and companies are aware of the need to strengthen digital cooperation by agreeing on and implementing international norms for responsible behavior, and important progress has been made especially in meetings of groups of governmental experts at the UN.
The UN Groups of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security have been set up by resolutions of the UN General Assembly at regular intervals since 1998. Decisions by the GGE are made on the basis of consensus, including the decision on the final report. The 2013 GGE on Developments in the Field of Information and Telecommunications in the Context of International Security agreed in its report that international law applies to cyberspace. This view was reaffirmed by the subsequent 2015 GGE, which also proposed eleven voluntary and non-binding norms for states. The UN General Assembly welcomed the 2015 report and called on member states to be guided by it in their use of information and communications technologies. This marks an important step forward in building cooperation and agreement in this increasingly salient arena.
Digital Cooperation on Cybersecurity
The pace of cyber-attacks is quickening. Currently, fragmented efforts need rapidly to coalesce into a comprehensive set of common principles to align action and facilitate cooperation that raises the costs for malicious actors.
Private sector involvement is especially important to evolving a common approach to tracing cyber-attacks: assessing evidence, context, attenuating circumstances, and damage. We are encouraged that the 2019 UN GGE and the new Open-Ended Working Group which deal with the behavior of states and international law, while primarily a forum for inter-governmental consultations, do provide for consultations with stakeholders other than governments, mainly regional organizations.
In our recommendation, we call for a multi-stakeholder Global Commitment on Digital Trust and Security to bolster these existing efforts. It could provide support in the implementation of agreed norms, rules, and principles of responsible behavior and present a shared vision on digital trust and security. It could also propose priorities for further action on capacity development for governments and other stakeholders and international cooperation.
The Global Commitment should coordinate with ongoing and emerging efforts to implement norms in practice by assisting victims of cyber-attacks and assessing impact. It may not yet be feasible to envisage a single global forum to house such capabilities, but there would be value in strengthening cooperation among existing initiatives.
Another priority should be to deepen cooperation and information sharing among the experts who comprise national governments’ Computer Emergency Response Teams (CERTs). Examples to build on here include the Oman-ITU Arab Regional Cybersecurity Centre for 22 Arab League countries, the EU’s Computer Security Incident Response Teams (CSIRTs) Network, and Israel’s Cyber Net, in which public and private teams work together. Collaborative platforms hosted by neutral third parties such as the Forum of Incident Response and Security Teams (FIRST) can help build trust and the exchange of best practices and tools.
The pace of cyber-attacks is quickening. Currently, fragmented efforts need rapidly to coalesce into a comprehensive set of common principles to align action and facilitate cooperation that raises the costs for malicious actors.
Digital cooperation among the private sector, governments, and international organizations should seek to improve transparency and quality in the development of software, components, and devices. While many best practices and standards exist, they often address only narrow parts of a vast and diverse universe that ranges from talking toys to industrial control systems. Gaps exist in awareness and application. Beyond encouraging a broader focus on security among developers, digital cooperation should address the critical need to train more experts specifically in cybersecurity: by one estimate, the shortfall will be 3.5 million by 2021.