How will global cyber security norms develop?
Avoid putting too much of a burden on institutions such as the United Nations’ Group of governmental experts
Last month, United Nations secretary general António Guterres called for global action to minimise the risk posed by electronic warfare to civilians. A decade ago, cyber security received little attention as an international issue. But, since 2013, it has been described as the biggest threat facing the United States. Although the exact numbers can be debated, the Council on Foreign Relations’ Cyber Operations Tracker contains almost 200 state-sponsored attacks by 16 countries since 2005, including 20 in 2016.
The secretary-general appointed a Group of Governmental Experts (UNGGE) which first met in 2004, and in 2015 proposed a set of norms that was later endorsed by the G20.
By the beginning of 2017, 3.7 billion people, or nearly half the world’s population, were online. Along with rising interdependence and economic opportunity, however, came vulnerability and insecurity. With big data, machine learning, and the Internet of Things, some experts anticipate that the number of Internet connections may grow to nearly a trillion by 2035. The number of potential targets for attack will expand dramatically, and include everything from industrial control systems to heart pacemakers and self-driving cars.
Developing norms in the cyber domain faces a number of difficult hurdles. For starters, given that the Internet is a transnational network of networks, most of which are privately owned, non-state actors play a major role. Nonetheless, the description of “www” as the “wild west web” is a caricature.
Where does the world go now? Norms can be developed by a variety of policy entrepreneurs. The new non-governmental Global Commission on Stability in Cyberspace has issued a call to protect the public core of the Internet (defined to include routing, the domain name system, certificates of trust, and critical infrastructure). Meanwhile, the Chinese government has called for recognition of the right of sovereign states to control online content on their territory.
As member states contemplate the next steps in the development of cyber norms, the answer may be to avoid putting too much of a burden on any one institution such as the UNGGE. Progress may require the simultaneous use of multiple arenas. For example, China and the US reached a bilateral agreement restricting cyber espionage for commercial purposes. In other cases, such as security norms for the Internet of Things, the private sector, insurance companies, and non-profits might take the lead in developing codes of conduct.