12 October 2014

The key to keeping cyberspace safe? An international accord.

By James Andrew Lewis 
October 7
http://www.washingtonpost.com/postlive/key-to-keeping-cyberspace-safe-international-accord/2014/10/07/ae50a35e-4812-11e4-b72e-d60a9229cc10_story.html

(Michael S. Williamson/The Washington Post)

When Americans think about cybersecurity, they tend to focus on symptoms rather than causes — it’s a symptom when almost every month a major company is hacked and millions of personal records are stolen. We pit weak defenses against skilled opponents. Changing this won’t be easy, because there is no automatic fix, no new technology and no private action that can stop cybercrime and tame the Internet’s Wild West. 

First, we must recognize that most malicious actions in cyberspace directed against the United States come from hackers in two countries: China and Russia. These nations encourage their hackers to go after networks, data and money in the United States, and they protect them from prosecution. Russia allows criminal groups to steal from Western banks (Russian-speaking cybercriminal gangs can perform hacks as well as most intelligence agencies). The Chinese prefer to use military units to steal intellectual property for everything from the plans for the F-35 fighter jet to the formula for house paint. 

That the United States’ most active opponents in cyberspace are China and Russia (along with up-and-comers Iran and North Korea) is not a coincidence. These countries are our military rivals. Cyberspace creates opportunities to exercise national power, and these nations have seized those opportunities. Viewing the United States as their opponent, they skillfully exploit the Internet to gain advantage. This is not a cold war. In fact, it is not war at all. Our opponents have been careful not to use hacking for real attacks on the United States, as doing so would trigger a damaging response and get in the way of business. 

In turn, these and other countries would say the National Security Agency is equally at fault. The problem is the same for everyone. All countries now depend on cyberspace, as it is built into every important part of the global economy. Better cybersecurity requires that nations agree on the norms and rules for responsible behavior in cyberspace, both for states and for powerful companies. Agreement is possible even among adversaries, as there is shared interest in making our digital economic backbone stable and more secure. 

The idea of formal cooperation among governments is anathema to the old-school Internet community. The fear is that rules will harm the “free and open Internet” to which all kinds of miraculous economic powers are ascribed. It’s true that the global network has brought us immense economic benefits and offers still more. However, the free and open Internet is long gone. Consumers are locked into vendors’ “walled gardens” where choice is restricted, and privacy vanished well before former government contractor Edward Snowden leaked classified NSA information. Hacking remains far too easy and its costs are rising far too rapidly to stick with the laissez-faire approach. 

To make cyberspace safe, we need something like Bretton Woods. After repeated financial crashes (the last of which, in 1929, led to global depression and war), the United States and its allies created the Bretton Woods system to establish transnational rules, norms and institutions to manage and reduce risk for global finance and trade. We can do the same for cyberspace. This does not mean creating a one-ring-to-rule-them-all Internet body, nor does it mean an all-government approach. It means agreement on a collective approach to reduce risk and follow principles for stability. The Bretton Woods system was not perfect, but it was better than the chaotic national approaches that preceded it. Some countries will balk at following the rules — as they balked at rules against nuclear proliferation or money-laundering — but the right blend of incentives and penalties (such as indictments in U.S. courts) will help change their minds. 


Agreement on rules would ultimately reduce risk, and in a perfect world, international accord on cybersecurity would be enough to protect us. But reaching such an accord won’t be easy or quick. The same way that banks rely on the police but still need vaults and guards, companies will need to do more to protect themselves and their customers. Most network breaches still require only simple hacking techniques. 


The Obama administration favors a voluntary, standards-based approach (a time-honored American solution) to cybersecurity using the National Institute of Standards and Technology’s new Cybersecurity Framework, but it has hinted at regulation if companies do not act. The framework sets minimum levels of cybersecurity, and companies can expect auditing firms to evaluate how secure their networks are and use that information in annual audits and shareholder reports. 


Company liability also will create powerful incentives. A hacked company could face lawsuits from shareholders and customers if plaintiffs can show that it did not implement the framework. The framework has inspired other countries to set cybersecurity standards, and a single global approach to cybersecurity would be better than having each country design its own. 


Like it or not, the pioneering days of the Internet are over. In the iconic American film “The Man Who Shot Liberty Valance,” a mild-mannered lawyer supplants a larger-than-life cowboy who pioneered the West. There’s an understandable reluctance in the movie to see heroic, self-reliant cowboys replaced by lawyers, but there also is a recognition that society has outgrown the pioneer phase and that it’s time to move to a world ordered by the rule of law. And there is a similar reluctance to acknowledge that cyberspace has matured and that taming the cyber Wild West means extending the rule of law — internationally and domestically, existing laws and maybe some new ones — and creating institutions to enforce them. This means frameworks, international agreements, standards and formal oversight. 


Getting the rule of law in cybersecurity requires collective action, nationally and internationally, and for now, that still requires U.S. leadership. Unfortunately, this may be impossible in Washington today. The political consensus that let this society build superhighways and the Internet is fractured. Until a new political consensus is forged, progress in cybersecurity will be slow. Cybersecurity is a good test of whether the United States has the resolve and the skills to maintain the world order it created decades ago. We may fail, in which case cybersecurity will be just another part of a larger unraveling of international peace. While Washington struggles to redefine its social contract, we should expect uncertain responses, half-measures and more hacking. 




Lewis is senior fellow at the Center for Strategic and International Studies.

No comments: