This Global Governance Working Paper is a new feature of the Council of Councils (CoC), an initiative of the Council on Foreign Relations. Targeting critical global problems where new, creative thinking is needed, the working papers identify new principles, rules, or institutional arrangements that can improve international cooperation in addressing long-standing or emerging global problems. The views and recommendations are the opinion of the authors only, do not necessarily represent a consensus of the CoC members, and are not the positions of the supporting institutions. The Council on Foreign Relations takes no institutional positions on policy issues and has no affiliation with the U.S. government.
The Challenge
Information and communications technology (ICT) presents one of the most critical modern challenges to global security. Threat assessments predict that the next major international crisis could be due to a state or terrorist group weaponizing ICTs to devastate critical infrastructure or military logistics networks. The proliferation of asymmetric warfare (i.e., conflicts between nations or groups that have disparate military capabilities) has increased states’ use of ICTs, which necessitates the development of an international code of cyber conduct.
There is an urgent need for cooperation among states to mitigate threats such as cybercrime, cyberattacks on critical infrastructure, electronic espionage, bulk data interception, and offensive operations intended to project power by the application of force in and through cyberspace. Emerging cyber threats could precipitate massive economic and societal damage, and international efforts need to be recalibrated to account for this new reality.
A common misperception is that the principal cybersecurity threats demanding urgent international collaboration are massive, state sponsored attacks that target critical infrastructure such as power plants or electrical grids, causing massive devastation and human casualties. In fact, cyber threats are more diverse and complex, often targeting private enterprises and endangering the technical integrity of the digital world. The near-total digitalization of business models makes the global economy more vulnerable to cyberattacks, not only from states but also from criminal organizations and other nonstate actors.
Recent legislation, such as the European Parliament’s 2016 directive on the security of network and information systems, has taken this reality into account. The directive focused broadly on threats to critical infrastructure, and aimed to improve cybersecurity measures to safeguard so-called essential services such as online marketplaces, search engines, and cloud computing services vital to businesses, governments, and citizens. Any major disruption in these services could destroy existing business models and generate huge operational costs.
In May 2017, for example, a series of cyberattacks using the WannaCry ransomware (a type of computer virus that encrypts a user’s data and only releases it when a ransom has been paid) affected hundreds of thousands of computers across the globe. The total cost of the WannaCry attacks, which the United States, United Kingdom, and others attribute to the North Korean government, was estimated to exceed $1 billion. WannaCry was soon followed by a destructive wiper-malware attack (a type of cyberattack that wipes computers outright, destroying records from the targeted systems without collecting a ransom) known as NotPetya/Petya. This brief but large-scale outbreak, also potentially linked to a state actor, affected many organizations around the world and was estimated to cost container ship operator Maersk up to $300 million in lost revenue.
The attacks of 2017, however, could be dwarfed by cyberattack campaigns in coming years. According to a Lloyd’s of London report, a major cyberattack on a cloud services provider such as Amazon could trigger economic losses of up to $53 billion, a figure on par with a catastrophic natural disaster such as Hurricane Sandy, which hit much of the eastern United States in 2012. The Russian Federal Security Service (FSB) estimates that cyberattacks already cost the global economy $300 billion annually, and Juniper Research recently predicted that figure will total $8 trillion over the next five years.
Recommendations
Governments, global industry, and experts from academia and civil society should work together to prevent cyberwar, restrict offensive cyber operations by nonstate actors, and mitigate the daily economic threats that ICTs pose to the global economy. The following recommendations seek to maximize international cooperation while minimizing politicization and cyber risk.
Recommendations for This Year
Restart the U.S.-Russia dialogue on cyber issues. The relationship between the United States and Russia is of crucial importance for the whole ecosystem of cyber policy and diplomacy. The two countries are among the most advanced cyber powers and were the first to develop ICT confidence-building measures (a “cyber nonaggression pact”), and they remain the front-runners on global cyber-policy discussions.
Disagreements and accusations between the United States and Russia have been escalating for three years and are partly responsible for the lack of progress on the establishment of cyber rules for responsible state behavior. The United States is aligned with a group of countries that insists that existing international law fully applies to cyberspace, whereas Russia is aligned with another group that wants a new treaty tailored specifically to this domain. As long as they run in different directions, no major progress on cyber norms can be achieved.
Critics may argue that new agreements between Washington and Moscow are impossible, given the accusations that Russia used ICTs to meddle in the 2016 U.S. presidential election and that the United States used ICTs for its own geopolitical and surveillance goals, as exposed by Edward Snowden. However, U.S.-Russia cyber negotiations could still be successful. The United States found itself in a similar position in 2015, when the Barack Obama administration was close to imposing broad sanctions against China in retribution for hackers (allegedly supported by the Chinese government) stealing industrial secrets, costing the U.S. economy billions of dollars in damages. Rather than cutting off dialogue on cyber issues, however, Obama and Chinese President Xi Jinping were able to sign a substantial cyber economic-espionage agreement that sharply curtailed China-based cyberattacks on the United States. The U.S.-China agreement was realistic and limited in scope, something the United States and Russia should also strive to achieve. For example, the two powers could aim for an agreement limited to the prevention of dangerous military activities in cyberspace, similar to the U.S.-Soviet Incidents at Sea Agreement of 1972.
Reconvene UN experts and implement existing norms. In 2004, the UN Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) was established to develop a common approach to how governments should behave in cyberspace. Its 2015 report provided the foundation for an internationally recognized governmental cyber code of conduct.
The 2015 report recommended eleven basic but important norms, including determinations that states should not knowingly allow their territory to be used for internationally wrongful cyber acts; should not conduct or knowingly support ICT activities that intentionally damage critical infrastructure; and should seek to prevent the proliferation of malicious technologies and the use of harmful hidden functions. In this consensus document, existing and emerging threats in cyberspace were spelled out; basic norms, rules, and principles for responsible behavior were proposed; and confidence-building measures, international cooperation, and capacity-building were given the attention they deserve.
Unfortunately, the UN GGE failed to reach a consensus in June 2017 on a successor to the 2015 report. However, the group is not defunct, and it should reconvene as soon as possible. Instead of attempting to expand on the 2015 report, it should be given stronger official status, for instance as a UN General Assembly resolution. If it was coauthored by all the permanent members of the UN Security Council, it would likely get broad support from other countries. Although a UN resolution would be nonbinding, it would serve as a step toward institutionalizing cyber norms.
Require state reporting of cyber vulnerabilities. An updated UN GGE report or other international agreement should include a mandate that states report ICT vulnerabilities to the companies or governments responsible for correcting them. The 2015 UN GGE report only encouraged the reporting of such vulnerabilities, but reporting should be treated as more than simply good practice: it is a government’s moral responsibility.
After a widespread ransomware attack in 2017, Microsoft President Brad Smith noted that the virus targeted a vulnerability in Microsoft software that had previously been discovered by the U.S. National Security Agency (NSA) and which was then leaked into the public domain. Had the NSA reported the vulnerability to Microsoft when it was first identified, the company could have issued a security update to the tens of millions of computers that use its software. Smith argues that international standards should compel national intelligence agencies and militaries not to stockpile or exploit such software vulnerabilities. The United States, Russia, and other cyber powers should support this effort, as software vulnerabilities have repeatedly leaked from their national security agencies, causing widespread damage. Governments need to take a different approach to cyberspace and develop rules similar to those that govern biological and chemical weapons in the physical world.
Use a bottom-up approach for rules regarding responsible behavior in cyberspace. The Organization for Security and Cooperation in Europe, the Shanghai Cooperation Organization, and other regional and international organizations have started to elaborate their views on cyber issues, as have individual countries, alliance groups, and companies. Cyber policies have already been developed by Russia and the United Kingdom; by an alliance among China, Russia, Tajikistan, and Uzbekistan; and by Microsoft. Releasing drafts of such rules and policies would help countries and regions find areas of agreement, thus moving the debate forward. Such actors should also provide the UN GGE with their recommendations and best practices.
Start discussions on a global cybercrime convention. The United States and fifty-five other countries have signed the important Budapest Convention on Cybercrime, but Russia and China have not. An effective cyber regime only works if all major powers take part and accept its provisions. Either the Budapest Convention needs to be adapted to attract more signatories, or a new treaty needs to be created. New proposals are already on the table. This issue should also be dealt with at the United Nations, where there is a mechanism for discussing global cooperation in combating cybercrime: the open-ended intergovernmental expert group on cybercrime. These efforts would be most effective if they received a mandate from the UN General Assembly to work toward a universal convention based on the Budapest Convention or existing alternative proposals.
Make cyber incident attribution easier. Governments and the global technical community should develop improvements and updates to core internet protocols to make cyber incident attribution more effective on the technical level. This will help verify compliance with principles of international law such as noninterference in the internal affairs of other states—including elections—and hold states more responsible for what happens in their cyber realm.
Recommendations for the Next Five Years
Create an international cyber court or similar body. Due to the growing number of cyberattack accusations among states and the difficulty of technical attribution, it would be beneficial to create an independent, international cyber court or arbitrage method that deals only with government-level cyber conflicts and that would be recognized and respected by all parties. In such a court, one party could present evidence that it was hacked, the accused party could argue it was not behind the attack, and independent, qualified experts would attempt to verify the accuracy of those claims. A mechanism like this would be useful to settle the current conflict between the United States and Russia regarding the 2016 U.S. elections.
Restrict autonomous cyber weapons. Cyber weapons that operate without human involvement, like the U.S. project Monstermind revealed by Edward Snowden, should be outlawed. Attacks are often routed through computers in innocent third countries whose citizens’ information is put at risk by autonomous cyber weapons that do not abide by national borders. The UN GGE meeting on lethal autonomous weapon systems, held in November 2017 under the Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons, was the first formal meeting on such weapons and is a good venue to take concrete steps to strengthen a code of conduct.
Recommendation for the Next Ten Years
Codify cyberattack legislation into international law. A longer-term goal should be the signing of a binding UN convention on fighting cybercrime and a universal code of conduct for states in cyberspace. The UN GGE recommendations already agreed to can serve as a starting point.
Conclusion
These are just a few of the many possible proposals that could help increase international cooperation in cyberspace and protect the stability and resiliency of the global digital economy. Of all these proposals, it is most important that the world does not allow the establishment of cyber norms to continue at today’s slow pace. There is now no universal body working to enhance global cooperation in combating cybercrime and no mechanism for developing norms for state behavior in cyberspace. This policy vacuum allows for malicious actors to use the internet however they see fit, without repercussions. The world should not have to wait for a cyber Pearl Harbor to try to make this space safer and more predictable.