Mitigating Cyber Risks: Is There Room for Two?
There is still a role for global discussion on norms of conduct in cyberspace.
Experts both in Russia and in the West are beginning to feel cautiously hopeful about the recent UN discussions on information security. 2018 has seen the adoption of three resolutions regarding states’ behaviour in cyberspace, two of which have been proposed by Russia and one by the US. Following these suggested initiatives, two expert groups are supposed to start work on elaborating universal norms of conduct in cyberspace. One is a Russia-proposed open-ended working group (OEWG) and the second is the US-proposed UN Group of Government Experts (UN GGE) that produced successful reports in 2013 and 2015 but failed to do so in 2017. Could these two expert groups make groundbreaking progress, leading UN member states to agree on how to behave in cyberspace and respond to cyber attacks? Despite the positive agenda, some of the most sceptical voices in this discussion come from the business community.
Businesses claim that they have the most to lose from cyber attacks and are often responsible for dealing with the aftermath. Businesses are increasingly willing to take matters into their own hands when cyber attacks occur, but the UN continues discussing whether there could be a universal solution to cybercrime. However, there are several points of divergence and possible convergence between UN states on this issue.
While the UN plays a key role in international relations, its member states tend to perceive cyber matters as an issue for interstate or bilateral dialogue. It is often argued that countries have been responsible for creating their own ‘rules of the road’ for every other domain, and so cyber should be no exception.
Even though there is a place for state influence, companies’ reach stretches beyond international borders. Many organisations have a global reach, with offices across multiple legal jurisdictions, and the exchange of information is a business that operates 24/7. This means that businesses are at the coalface of information security, particularly in the financial sector, which the state must keep pace with. Cloud computing and mobile access to a global network reduce the effectiveness that individual countries have in laying out the rules in cyberspace. To succeed, states need to be able to work collaboratively, and alongside industry, to ensure cyber security is effective around the globe.
There is no denying the fact that the UN has served as the main venue for talks on information security for the last 20 years. Russia has historically given these negotiations high importance, with the US recently starting to promote its own cyber initiatives within the same body. While some view the UN as a steady ship in an ever-changing world, sceptics do not believe that there is much scope for common ground on norms in cyberspace. All UN member states have their own cyber security advisers, but the challenge will be ensuring that cyber security remains high up on each state’s agenda. Ensuring that industry leaders remain constant will help to keep the cyber agenda on track and ensure information security is a global success. Challenges will inevitably occur when one state needs to keep information away from others, such as in cases of national security issues. This restricts the options for open information sharing between states.
One should not forget that there is always room for state-to-state agreements. While there is no comprehensive universal agreement on cyberspace, bilateral and multilateral formats are still actively used by many countries to serve as a platform for information exchanges, where states decide on mutually acceptable rules and have companies and state actors play by them.
States will always have an easier path to information security with state-to-state agreements, but the challenges here are size and growth. At some point, states will need to collaborate and compromise or the world of global information will never be truly safe for conducting business. Industry is the main influencing factor here, as companies have the ability to pick and choose where information can go, and where businesses are located. All this attracts employment taxes and profit for the state, and so it is in the interest of all states to find a minimum common ground, to allow industry to succeed and operate safely within the country.
Finally, some matters lie exclusively in the hands of states, such as the protection of nuclear facilities and other parts of critical national infrastructure. Though some international companies may be permitted to assist with the development of these important sites, the state will always remain responsible for determining the fate of their security in the event of a serious cyber intrusion.
Critical national infrastructure will always be the responsibility of the state. This cannot change, as the risk of exposure can never be owned by industry. There is, however, a disconnect between the global cyber threat and state-owned cyber defence. The state is often risk averse, and so change can be slow and behind the curve. In contrast, cyber-criminals are agile and work collaboratively, meaning that the cyber threat is constantly changing.
This is only likely to increase the risk of critical national infrastructure’s exposure to cyber attacks, driving up the risks to global security. Businesses must play an increasingly role in threat detection and the defence of critical national infrastructure, while the state needs to ensure that these measures are effective in real time.
Maria Smekalova is Cybersecurity Programme Coordinator at the Russian International Affairs Council.
Kevin Gourlay is Cyber Defence Operations Director at Computacenter.
The views expressed in this Commentary are the authors', and do not necessarily reflect those of RUSI or any other institution.