Every man, or nation, for themselves might be the best mantra for cybersecurity. The recently released results of a cyber summit organized by the EastWest Institute concluded as much.
NextGov reported on 2010 study based on an international summit sponsored by the Brussels-based institute, which concluded, “It could take years to arrive at a global treaty on cybersecurity, since many states are not ready for it – and perhaps never will be.”
In short, an international treaty might be unattainable.
This conclusion hardly comes as much of a surprise. Looking for single “silver-bullet” solutions will not work. There is no technology, government policy, law, treaty, or program that can stop the acceleration of competition in the cyber universe. The right approach to cyber governance is to begin with the premise that all national security challenges are a series of actions and counteractions between competitors, and inquiring how these competitions might progress in the future.
International treaties are simply incompatible with a sensible approach to national cybersecurity. First of all, information technology is advancing so rapidly it is likely that any international regime that could be developed would be obsolete even before the UN stood up its website.
Second, many nations are bad actors online. According to a survey conducted by the OpenNet Initiative (ONI), “more than three dozen states around the world now filter the Internet.” Not surprising, among the most egregious practitioners of an online censorship control is Iran, which the Initiative rated as maintaining “the extensive filtering regime of any country ONI has studied.”
China is not much better. “A consistent feature of the Chinese Internet,” ONI concluded, “has been the lack of transparency, which has long been a hallmark of the government’s management and suppression of information.”
China and Iran are arguably the world leaders in trying to control their online worlds – but they are far from the only bad actors, Ethiopia among them. While the UN lauded the country’s E-Government effort, ONI pointed out “Ethiopia is increasingly jailing journalists and the government has shown an increasing propensity toward repressive behavior online: it seems likely that the trend will be more extensive censorship as Internet expands across the country.”
E-Government does not always equal good government. Bad nation-state actors are not going to jump on international agreement that forces them to clean up their act. More likely, they will press to ensure there are plenty of loopholes to let them to continue to act badly.
That said, Secretary Gates’ recent proposal that the United States undertake talks with China on cybersecurity makes no sense at all. They are the nation most aggressively attacking the United States online. According to the International Business Times, Defense Secretary Gates said, “he was confident that both sides ‘are on the road to fulfilling the mandate that our two Presidents have given to us: to strengthen the military-to-military relationships that they both consider an underdeveloped part of the overall U.S.-China relationship.’”
The last thing this kind of initiative shows is serious cyber-security leadership.
Of course, no nation is an island on the Internet, and it would be foolish to believe that cybersecurity can be achieved without working with international allies. That effort, however, ought to start with strong cyber alliances – not sleeping with the enemy.
Strong alliances just don’t happen by happenstance. Building the capacity for common action among free nations requires reinforcing rather than weakening the sovereignty of the state and at the same time strengthens the bonds of trust and confidence between free peoples, enabling them to act in their common interest. The right approach is to focus on building enduring alliances, not just “coalitions of the willing.” A comprehensive alliance-building approach, particularly for meeting the challenges of cyberspace, requires deliberate action and concrete plans.
Maximizing bilateral cooperation can be accomplished through joint programs, as well assistance in capacity building. An example of a fruitful area for cooperative agreements is in encouraging innovation, perhaps the quickest and most effective way to promote public-private engagement and build a national ability to mitigate and respond to cyber threats. Providing liability protection is one proven means of promoting private-sector innovation
After 9/11, Congress established one potential instrument: The Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act. The SAFETY Act lowered the liability risks of manufacturers that provide products and services used in combating terrorism. The act, passed in 2002, protects the incentive to produce products that the Secretary of Homeland Security designates as “Qualified Anti-Terrorism Technologies.” The Department of Homeland Security has made a con¬certed effort to implement the program, and, as of 2009, about 200 companies have obtained SAFETY Act certification. This program should be used to accelerate the fielding of commercial products and services for cyber security.
The United States could pilot this initiative by working with close allies like Israel.
As national liability protection proliferates, new opportunities for international cooperation will emerge. Countries that adopt verifiably similar liability protections should extend reciprocal privileges to one another. An expanding global web of liability protection will facilitate the proliferation of cyber-technologies for national security.
This approach may not sound as sexy as trumpeting international treaties, but it is likely to do a lot more to keep us safe online.