StudyDaddy Computer Science Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu

Project 6: Global Approaches to Cybersecurity Start Here As a cybersecurity professional, it is important for you to not only understand the organizational and national human and technical factors, bu

Cybersecurity International Policy

International cybersecurity policy has emerged based on efforts by international bodies and also in national strategies. International bodies, such as the United Nations, NATO, and the European Union, have each developed cybersecurity policies in concert with the focus, membership, and resources of their organizations. For example, NATO has made clear its objective to ensure that its operational and mission-related information systems are protected from cyberthreats while the organization continues to help member nations increase the security of their own national networks.

The United States has articulated its own international policy in the International Strategy for Cyberspace, released in 2011. This document establishes an approach for US engagement with foreign partners on cyberspace issues. It includes the following policy objectives (White House, 2011):

promoting international standards and innovative, open markets

extending collaboration and the rule of law

preparing for twenty-first-century challenges

promoting effective and inclusive structures

building capacity, security, and prosperity

supporting fundamental freedoms and privacy

However, future presidential administrations could result in significant changes, and even revocation, of the International Strategy for Cyberspace and other policies.

References

The White House. (2011). International strategy for cyberspace.  https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf

https://safe.menlosecurity.com/doc/docview/viewer/docNEB6322775701daf62e9f5e9987787b4afe438b8d6914c7686633e5ce7b909735f809ace8e093

International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms

Testimony

Christopher Painter

Coordinator for Cyber Issues

Statement Before the Senate Foreign Relations Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy

Washington, DC

May 25, 2016

Chairman Gardner, Ranking Member Cardin, members of the Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, it is a pleasure to appear again before your subcommittee to provide an update on key developments in our cyber foreign policy efforts.

Since I testified before your subcommittee one year ago, the Department of State (the Department) has continued to work closely with other federal departments and agencies and has made significant progress in a number of areas.

It is also important to note that last month, as required by the Consolidated Appropriations Act for 2016, the Department submitted to Congress the Department of State International Cyberspace Policy Strategy (the Strategy), which included a report on the Department's work to implement the president's 2011 International Strategy for Cyberspace, as well as a discussion of our efforts to promote norms of responsible state behavior in cyberspace, alternative concepts for norms promoted by certain other countries, threats facing the United States, tools available to the president to deter malicious actors, and resources required to build international norms. I appreciate the opportunity today to provide an update on our progress as well as the challenges we face in a number of areas.

As reflected in the Strategy we provided to Congress last month, the Department of State structures its cyberspace diplomacy in close cooperation with our interagency partners – including the Departments of Justice, Commerce, Defense, Homeland Security, and Treasury, and the Intelligence Community – around the following interrelated, dynamic, and cross-cutting policy pillars drawn from the president's International Strategy for Cyberspace: digital economy, international security, promoting cybersecurity due diligence, combating cybercrime, Internet governance, Internet freedom, and international development and capacity building, as well as cross-cutting issues such as countering the use of the Internet for terrorist purposes. In addition, as we noted, the Department is actively mainstreaming cyberspace issues into its foreign diplomatic engagements and building the necessary internal capacity.

I am happy to answer any questions regarding the Strategy, which discusses all of these policy priorities in greater detail, including specific accomplishments from our robust bilateral and multilateral diplomatic engagements and highlights from the roles and contributions of other federal agencies.

In spite of the successes outlined in the Strategy, the U.S. vision for an open, interoperable, secure, and reliable Internet faces a range of policy and technical challenges. Many of these challenges were described in my testimony last year, and they largely remain. I would like to focus my time today delving specifically into our efforts to promote a broad international framework for cyber stability, as well some of the alternative views regarding the Internet that some governments are promoting. I will also spend some time discussing the technical challenges and threats posed by continuing malicious cyberactivity directed at the United States, as well as our allies, and the tools we have at our disposal to deter these actions.

Diplomatic Efforts to Shape the Policy Environment

Building a Framework for International Stability in Cyberspace

The Department of State, working with our interagency partners, is guided by the vision of the president's International Strategy for Cyberspace, which is to promote a strategic framework of international cyber stability. This framework is designed to achieve and maintain a peaceful cyberspace environment where all states are able to fully realize its benefits, where there are advantages to cooperating against common threats and avoiding conflict, and where there is little incentive for states to engage in disruptive behavior or to attack one another.

This framework has three key elements: (1) global affirmation that international law applies to state behavior in cyberspace; (2) development of an international consensus on and promotion of additional voluntary norms of responsible state behavior in cyberspace that apply during peacetime; and (3) development and implementation of practical confidence building measures (CBMs), which promote stability in cyberspace by reducing the risks of misperception and escalation.

Since 2009, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) has served as a productive and groundbreaking expert-level venue for the United States to build support for this framework. The consensus recommendations of the three UN GGE reports in 2010, 2013, and 2015 have set the standard for the international community on international cyberspace norms and CBMs. The UN GGE process will continue to play a central role in our efforts to fully promulgate this framework when it reconvenes in August 2016.

Applicability of international law. The first and most fundamental pillar of our framework for international cyber stability is the applicability of existing international law to state behavior in cyberspace. The 2013 UN GGE report was a landmark achievement that affirmed the applicability of existing international law, including the UN Charter, to state conduct in cyberspace. The 2013 report underscored that states must act in cyberspace under the established international obligations and commitments that have guided their actions for decades – in peacetime and during conflict – and states must meet their international obligations regarding internationally wrongful acts attributable to them. The 2014-2015 UN GGE also made progress on issues related to international law by affirming the applicability of the inherent right to self-defense as recognized in Article 51 of the UN Charter, and noting the law of armed conflict's fundamental principles of humanity, necessity, proportionality, and distinction.

Norms of responsible state behavior. The United States is also building consensus on a set of additional, voluntary norms of responsible state behavior in cyberspace that define key areas of risk that would be of national and/or economic security concern to all states and should be off-limits during times of peace. If observed, these stability measures – which are measures of self-restraint – can contribute substantially to conflict prevention and stability. The United States was the first state to propose a set of specific peacetime cyber norms, including the cybersecurity of critical infrastructure, the protection of computer security incident response teams (CSIRTs), and cooperation between states in responding to appropriate requests in mitigating malicious cyberactivity emanating from their territory. In May 2015, Secretary of State Kerry highlighted these norms in his speech in Seoul, South Korea, on an open and secure Internet. The 2015 UN GGE report's most significant achievement was its recommendation for voluntary norms of state behavior designed for peacetime, which included concepts championed by the United States.

Confidence Building Measures. Together with our work on law and voluntary norms, cyber CBMs have the potential to contribute substantially to international cyber stability. CBMs have been used for decades to build confidence, reduce risk, and increase transparency in other areas of international concern. Examples of cyber CBMs include transparency measures, such as sharing national strategies or doctrine; cooperative measures, such as an initiative to combat a particular cyber incident or threat actor; and stability measures, such as committing to refrain from a certain activity of concern. Cyber CBMs are being developed, and are in the first stages of implementation, in two regional venues – the Organization for Security and Cooperation in Europe (OSCE) and the ASEAN Regional Forum, where agreement was reached in 2015 on a detailed work plan with a proposed set of CBMs for future implementation.

Although many of the elements of the framework I have described above may seem self-evident to an American audience, it is important to recognize that cyber issues are new to many states, and as I describe later in my testimony, there are also many states that hold alternative views on how we should promote cyber stability. Notwithstanding these headwinds, as well as the fact that diplomatic negotiations on other issues can take many years, if not decades, the United States and its allies have made substantial progress in recent years towards advancing our strategic framework of international cyber stability. At this point, I would like to highlight examples from last year that reflect our progress.

U.S.-China Cyber Commitments

The United States strongly opposes the use of cyber technology to steal intellectual property for commercial advantage, and has raised this concern with Chinese interlocutors for several years. In 2014, the United States indicted five members of the Chinese military for hacking, economic espionage, and other offenses directed at six US entities. This led China to suspend the US-China Cyber Working Group. The United States and China, however, reached an agreement during President Xi Jinping's state visit in September 2015 on several key commitments on cyber issues. These commitments are

both governments agreed to cooperate and provide timely responses to requests for information and assistance regarding malicious cyberactivity emanating from their territories,

neither country's government will conduct or knowingly support cyber-enabled theft of intellectual property for commercial advantage,

both governments will work together to further identify and promote appropriate norms of state behavior in cyberspace and hold a senior experts group on international security issues in cyberspace, and

both governments will establish a ministerial-level joint dialogue mechanism on fighting cybercrime and related issues.

Two weeks ago today – on May 11 – the United States hosted the first meeting in Washington of the senior experts group on international security issues in cyberspace, which provided a forum to further engage with China on its views and seek common ground regarding norms of state behavior in cyberspace and other topics. The Department of State led the US delegation that included participation from the Department of Defense and other US government agencies. The senior experts group helps us advance the growing international consensus on international law and voluntary cyber norms of state behavior. We also have encouraged China to join us in pushing for other states to affirm these principles in international forums like the Group of Twenty (G20), and will continue to do so.

To implement other commitments reached during President Xi's visit, the United States and China held the first ministerial-level dialogue on cybercrime and other related issues in Washington on December 1, 2015. Attorney General Loretta Lynch and Homeland Security Secretary Jeh Johnson, together with Chinese State Councilor Guo Shengkun, co-chaired the first US-China High-Level Joint Dialogue on Cybercrime and Related Issues to foster mutual understanding and enhance cooperation on law enforcement and network protection issues. The second dialogue is scheduled to occur next month in Beijing, China.

Moreover, regarding the commitment that neither government will conduct or knowingly support cyber-enabled theft for commercial gain, Deputy Secretary of State Blinken testified last month before the full Committee on Foreign Relations that the United States is "watching very closely to ensure this commitment is followed by action."

The outcomes of last year's Xi-Obama summit focus on concrete actions and arrangements that will allow us to hold Beijing accountable to the commitments they have made. These commitments do not resolve all our challenges with China on cyber issues. However, they do represent a step forward in our efforts to address one of the sharpest areas of disagreement in the US-China bilateral relationship.

Group of Twenty (G20) Antalya Summit

In November 2015, the leaders of the G20 met in Antalya, Turkey, to discuss and make progress on a wide range of critical issues facing the global economy. At the conclusion of the Antalya Summit, the strong final communique issued by the G20 leaders affirmed the US-championed vision of international cyber stability and its pillars.

Among other things, the G20 leaders affirmed in their statement that "no country should conduct or support the ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors." They also highlighted the "key role played by the United Nations in developing norms" and the work of the UN GGE and its 2015 report. Addressing our overall framework, the G20 leaders stated that they "affirm that international law, and in particular the UN Charter, is applicable to state conduct in the use of ICTs and commit ourselves to the view that all states should abide by norms of responsible state behavior in the use of ICTs…"

The G20 leaders' communique represents a remarkable endorsement of our approach to promoting stability in cyberspace. Still, there is still more to do. The United States will continue to work within the G20 and in other bilateral and multilateral engagements to promote and expand these policy pronouncements regarding responsible state behavior in cyberspace.

Organization for Security and Cooperation in Europe

As a result of the leadership by the United States and like-minded countries, the 57 member states of the OSCE, which includes not only Western allies but also Russia and other former Soviet states, reached consensus in March 2016 on an expanded set of CBMs. This expanded set, which includes five new CBMs, builds upon the 11 CBMs announced by the OSCE in 2013 that member states are already working to implement.

The initial 11 CBMs were primarily focused on building transparency and putting in place mechanisms for de-escalating conflict. For example, there were CBMs calling upon participating states to identify points of contact that foreign governments could reach out to in the event of a cyber incident emanating from the state's territory and put in place consultation and mediation mechanisms. The additional five CBMs focused more on cooperative measures focusing on issues like cybersecurity of critical infrastructure and developing public-private partnerships. Secure and resilient critical infrastructure, including in the communications sector, requires the integration of cyber, physical, and human elements. Since most critical infrastructure is privately owned, public-private partnerships are essential for strengthening critical infrastructure. Given the distributed nature of critical infrastructure, these efforts also require international collaboration. Work will continue this year to strengthen implementation of the previous CBMs and to begin implementing the new ones as well. This will build on the cooperation we have underway with many international partners in this and other similar fora. We also hope that this further success within the OSCE context can serve to strengthen CBMs as a model that other regional security organizations can adopt.

In addition to our work with governmental organizations, the Department of State engages extensively with a range of stakeholders outside of government, who play critical roles in helping to preserve and promote the same vision of cyberspace held by the United States. Nongovernment stakeholders are often part of our delegations to key meetings, for which there is intensive consultation, and we often engage with our stakeholders before and after key events to hear their views and to inform them of our activities. We also engage extensively with the stakeholder community ahead of and immediately following major cyber conferences, such as the Global Conference on Cyberspace, most recently in The Hague, the Netherlands, and previously in Seoul, South Korea.

Policy Challenge: Alternative Views of the Internet

One challenge to the implementation of our cyberspace strategy is a competing and alternative view of the Internet. The United States and much of the broader international community support the open flow and movement of data on the Internet that drives economic growth, protects human rights, and promotes innovation. The United States believes in a multistakeholder approach whereby governments, private sector, civil society, and the technical and academic communities cooperate to address both technical and policy threats through inclusive, transparent, consensus-driven processes.

China's approach to cyberspace in the international context is propelled by its desire to maintain internal stability, maintain sovereignty over its domestic cyberspace, and combat what it argues is an emerging cyber arms race and "militarization" of cyberspace. China has been willing to consider cyber confidence building measures, and has affirmed that international law applies in cyberspace, but has not been willing to affirm more specifically the applicability of the law of armed conflict or other laws of war, because it believes it would only serve to legitimize state use of cyber tools as weapons of war.

This has led to a set of external policies that reinforces traditional Chinese foreign policy priorities of noninterference in internal affairs, national sovereignty over cyberspace, and "no first use" of weapons. China views its expansive online censorship regime – including technologies such as the Great Firewall – as a necessary defense against destabilizing domestic and foreign influences, and it has promoted this conception internationally. China also urges creation of new "cyber governance" instruments, which would, inter alia, create new binding rules designed to limit the development, deployment, and use of "information weapons"; promote speech and content controls; seek to replace the framework of the Council of Europe Convention on Cybercrime (Budapest Convention); elevate the role of governments vis-à-vis other stakeholders; and likely give the United Nations authority for determining attribution and responding to malicious cyberactivity. While the United States and its partners seek to focus our cyber policy efforts on combatting threats to networks, cyber infrastructure, and other physical threats from cyber tools, China also emphasizes the threats posed by online content. In addition, some of these policies stand in sharp contrast to the U.S. view that all stakeholders should be able to contribute to the making of public policy regarding the Internet.

Russia's approach to cyberspace in the international context has focused on the maintenance of internal stability, as well as sovereignty over its "information space." While Russia co-authored the Code of Conduct, with China and other Shanghai Cooperation Organization members, Russia's ultimate goal is also a new international cyber convention, which they pair with criticism of the Budapest Convention.

Russia has nonetheless found common ground with the United States on our approach of promoting the applicability of international law to state conduct in cyberspace as well as voluntary, nonbinding norms of state behavior in peacetime. Russia has also committed to the first ever set of bilateral cyber confidence building measures with the United States, as well as the first ever set of cyber CBMs within a multilateral institution, at the OSCE in 2013 and 2016 that I previously discussed.

We counter these alternative concepts of cyberspace policy through a range of diplomatic tools that include not only engagement in multilateral venues, but also direct bilateral engagement and awareness-raising with a variety of state and non-state actors. I now would like to discuss some of the technical challenges and threats the United States faces and some of the tools we have to respond to and prevent cyber incidents.

Responding to and Preventing Cyber Incidents

Continuing Cyberthreats

Cyberthreats to US national and economic security are increasing in frequency, scale, sophistication, and severity. In 2015, high-profile cyber incidents included the breach of health insurance company Anthem, Inc.'s IT system, resulting in the theft of account information for millions of customers; an unauthorized breach of the Office of Personnel Management's systems, resulting in the theft of approximately 22 million personnel files; and hackers launching an unprecedented attack on the Ukraine power grid that cut power to hundreds of thousands of customers.

Overall, the unclassified information and communications technology networks that support US government, military, commercial, and social activities remain vulnerable to espionage and disruption. As the Department noted in the Strategy we submitted last month, however, the likelihood of a catastrophic attack against the United States from any particular actor is remote at this time. The Intelligence Community instead foresees an ongoing series of low-to-moderate level cyber operations from a variety of sources, which will impose cumulative costs on US economic competitiveness and national security, pose risks to federal and private sector infrastructure in the United States, infringe upon the rights of US intellectual property holders, and violate the privacy of US citizens.

In February, Director of National Intelligence James Clapper testified before Congress on the 2016 Worldwide Threat Assessment of the US Intelligence Community, and stated "Many actors remain undeterred from conducting reconnaissance, espionage, and even attacks in cyberspace because of the relatively low costs of entry, the perceived payoff, and the lack of significant consequences." He highlighted the malicious cyber activities of the leading state actors, non-state actors such as Da'esh, and criminals who are developing and using sophisticated cyber tools, including ransomware for extortion and malware to target government networks.

The Intelligence Community continues to witness an increase in the scale and scope of reporting on malicious cyberactivity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information compromised, or remediation costs incurred by U.S. victims. The motivation to conduct cyberattacks and cyberespionage will probably remain strong because of the gains for the perpetrators.

Tools Available to Counter Cyberthreats

The United States works to counter technical challenges through a whole-of-government approach that brings to bear its full range of instruments of national power and corresponding policy tools – diplomatic, law enforcement, economic, military, and intelligence – as appropriate and consistent with applicable law.

The United States believes that deterrence in cyberspace is best accomplished through a combination of "deterrence by denial" – reducing the incentive of potential adversaries to use cyber capabilities against the United States by persuading them that the United States can deny their objectives – and "deterrence through cost imposition" – threatening or carrying out actions to inflict penalties and costs against adversaries that conduct malicious cyberactivity against the United States. It is important to note that there is no one-size-fits-all approach to deterring or responding to cyberthreats. Rather, the individual characteristics of a particular threat determine the tools that would most appropriately be used.

The president has at his disposal a number of tools to carry out deterrence by denial. These include a range of policies, regulations, and voluntary standards aimed at increasing the security and resiliency of U.S. government and private sector computer systems. They also include incident response capabilities and certain law enforcement authorities.

With respect to cost imposition, the president is able to draw on a range of response options from across the United States government.

Diplomatic tools provide a way to communicate to adversaries when their actions are unacceptable and to build support and greater cooperation among, or seek assistance from, allies and like-minded countries to address shared threats. Diplomatic démarches to both friendly and potentially hostile states have become a regular component of the United States' response to major international cyberincidents. In the longer term, US efforts to promote principles of responsible state behavior in cyberspace, including peacetime norms, are intended to build increasing consensus among like-minded states that can form a basis for cooperative responses to irresponsible state actions.

Law enforcement tools can be used to investigate crimes and prosecute malicious cyber actors both within the United States and abroad. International cooperation is critical to cybercrime investigations, which is why the United States has promoted international harmonization of substantive and procedural cybercrime laws through the Budapest Convention, created an informal channel for data preservation and information sharing through the G7 24/7 network, and promoted donor partnerships to assist developing nations.

Economic tools, such as financial sanctions, may be used as a part of the broader U.S. strategy to change, constrain, and stigmatize the behavior of malicious actors in cyberspace. Since January 2015, the president has provided guidance to the Secretary of the Treasury to impose sanctions to counter North Korea's malicious cyber-enabled activities. Executive Order 13687 was issued, in part, in response to the provocative and destructive attack on Sony Pictures Entertainment, while Executive Order 13722 targets, among others, significant activities by North Korea to undermine cybersecurity, in line with the recently-signed North Korea Sanctions and Policy Enhancement Act of 2016. Aside from these North Korea-specific authorities, in April 2015, the president issued Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, which authorizes the imposition of sanctions against persons whose malicious cyber-enabled activities could pose a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.

Military capabilities provide an important set of options for deterring and responding to malicious cyberactivity. The Department of Defense continues to build its cyber capabilities and strengthen its cyber defense and deterrence posture. As part of this effort, the Department of Defense is building its Cyber Mission Force, which is already employing its capabilities to defend Department of Defense networks, defend the nation against cyberattacks of significant consequence, and generate integrated cyberspace effects in support of operational plans and contingency operations. In addition, Secretary of Defense Ashton Carter announced earlier this year that US forces are using cybertools to disrupt Da'esh's command and control systems and to negatively impact its networks.

Intelligence capabilities are also an important tool at the President's disposal in detecting, responding to, and deterring malicious activities in cyberspace, particularly given the unique challenges associated with attributing and understanding the motivation behind such malicious activities.

Even with this broad range of tools, deterring cyberthreats remains a challenge. Given the unique characteristics of cyberspace, the United States continues to work to develop additional and appropriate consequences that it can impose on malicious cyber actors.

Capacity Building

In addition to the tools that I have just outlined, the ability of the United States to respond to foreign cyberthreats and fight transnational cybercrime is greatly enhanced by the capabilities and strength of our international partners in this area. Therefore, the Department of State is working with departments and agencies, allies and multilateral partners to build the capacity of foreign governments, particularly in developing countries, to secure their own networks as well as investigate and prosecute cybercriminals within their borders. The Department also actively promotes donor cooperation, including bilateral and multilateral participation in joint cyber capacity building initiatives.

In 2015, for example, the United States joined the Netherlands in founding the Global Forum on Cyber Expertise, a global platform for countries, international organizations, and the private sector to exchange best practices and expertise on cyber capacity building. The United States partnered with Japan, Australia, Canada, the African Union Commission, and Symantec on four cybersecurity and cybercrime capacity building initiatives. The Department also provided assistance to the Council of Europe, the Organization of American States, and the United Nations Global Program on Cybercrime to enable delivery of capacity building assistance to developing nations. Many traditional bilateral law enforcement training programs increasingly include cyber elements, such as training investigators and prosecutors in the handling of electronic evidence. Much of our foreign law enforcement training on combating intellectual property crime focuses on digital theft.

In another example of capacity building, the Department of State, through its Bureau of International Narcotics and Law Enforcement Affairs, manages five International Law Enforcement Academies (ILEAs) worldwide, and one additional Regional Training Center. These six facilities provide law enforcement training and instruction to law enforcement officials from approximately 85 countries each year. The ILEA program includes a wide variety of cyber investigation training courses, from basic to advanced levels, taught by subject matter experts from the US Secret Service and other agencies and policy-level discussions with senior criminal justice officials. This serves as a force multiplier to enhance the capabilities of the international law enforcement community to collaborate in the effort to fight cybercrime.

The Department of State is committed to continuing its capacity building initiatives as another effective way to counter international cyberthreats and promote international cyber stability.

Looking ahead

Cybersecurity will continue to be a challenge for the United States when we take into consideration the rapidly expanding environment of global cyberthreats, the increasing reliance on information technology and number of "smart devices," the reality that many developing nations are still in the early stages of their cyber maturity, and the ongoing and increasingly sophisticated use of information technology by terrorists and other criminals. Thus, the Department of State anticipates a continued increase and expansion of our cyber-focused diplomatic and capacity building efforts for the foreseeable future.

The Department will continue to spearhead the effort to promote international consensus that existing international law applies to state actions in cyberspace and build support for certain peacetime norms through assisting states in developing technical capabilities and relevant laws and policies, to ensure they are able to properly meet their commitments on norms of international cyber behavior.

The Department of State remains appreciative of this Subcommittee's continued support. Thank you for the opportunity to testify today. I am happy to answer your questions.

Licenses and Attributions

International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms by Christopher Painter comprises public domain material from the U.S. Department of State. UMGC has modified this work.

International Cybersecurity Approaches

While individual nations continue to develop and implement their understanding of and approaches to cybersecurity, international bodies have also begun to include the topic on their agendas and even establish special bodies to address cybersecurity.

Cybersecurity challenges for international bodies—for example NATO, the United Nations, or the European Union—are unique as determined by the governing principles and membership of each body.

Another factor is the approach of the member nations to key cybersecurity-related issues, such as privacy. Many nations, particularly those that are less technologically developed, do not have the resources to fully absorb and respond to cybersecurity requirements, much less to contribute to the efforts of international bodies to do so. Such nations may benefit most from the efforts of international bodies, particularly those efforts that are focused on developing strategies, understanding security solutions, and implementing defensive measures to protect networks and data.

Cybersecurity: The Case for a European Approach

May 27, 2016

At the June summit, which will take place after the UK referendum, the high representative of the Union for Foreign Affairs and Security Policy, Federica Mogherini, will present the results of her global review of external strategy. As part of the review process, the Human Security Study Group, at the LSE, which is convened by Mary Kaldor and Javier Solana, has presented a report entitled From Hybrid Peace to Human Security: Rethinking the EU Strategy Towards Conflict together with 12 background research papers.

Conflicts are at the sharp end of contemporary crises. Refugees, extremist ideologies, criminality, and predation are all produced in conflict. Contemporary conflicts are sometimes known as "hybrid wars" or "new wars" in which classic distinctions between public and private, government/regular and rebel/irregular, and internal and external breakdown. They are best understood not as legitimate contests of wills (the twentieth-century idea of war) but as a degenerate social condition in which armed groups mobilize sectarian and fundamentalist sentiments and construct a predatory economy through which they enrich. Identifying ways to address violent conflict could open up strategies for dealing with broader issues.

In this special openDemocracy series, the Human Security Study Group outlines the main conclusions of our report in our introductory essay together with six essays based on some of the background papers. These essays include an analysis of the conceptual premises of the Global Review (Sabine Selchow); three essays on specific conflict zones—Syria (Rim Turkmani), Ukraine (Tymofiy Mylovanov), the Horn of Africa (Alex de Waal); the importance of the EU's justice instrument (Iavor Rangelov); and how EU cybersecurity policy is human rights-focused rather than state-focused (Genevieve Schmeder and Emmanuel Darmois).

The EU objective of developing a cyber soft power privileging defense, resilience, and civil society sharply contrasts with national cybersecurity policies developed both inside and outside Europe.

The increasing digitalization of our societies creates new vulnerabilities both to accidents and to intentional threats. Malevolent individuals and organizations may, without any physical presence, infiltrate all possible networks, including the most sensitive ones, modify the behavior of applications and compromise data.

Every individual as well as governmental, nongovernmental, and business organization may be targeted. Hence the growing concern of cyberthreats, whose characteristics relate them more to human security than to traditional security approaches: They transcend international boundaries, mostly concern civil societies, are in essence asymmetrical, and have a crucial human rights dimension.

We focus here on EU policies in the field and their specificities. They end up in shaping a distinctive EU approach to cybersecurity that does reject the kind of technological determinism and mass surveillance that tends to characterize the approaches of most other national and international actors.

Cybersecurity: Its Nature, Actors, and Real Threats

Cybersecurity has to do with the prevention, detection, mitigation, and response to destructive or malevolent practices developed in cyberspace, which affect computer systems and their associated data. These practices range from the least damaging, which disrupt nonessential services or are mainly a (costly) nuisance, to the potentially catastrophic (sabotage of critical infrastructures; accidents or disasters causing bloodshed). They have become mainstream, extremely frequent and have growing negative economic, societal, and security consequences.

The gradual emergence of cyberspace since the end of the '70s has gone together with some enabling factors, such as anonymity, impunity, and cost reduction. Another crucial factor for the development of cyberthreats is the proliferation of vulnerabilities, both technical and human. Today's cyber systems have complex architectures that are highly interdependent and hard to test exhaustively, which use vulnerable end-user devices (e.g., smartphones). The human factor is even more crucial since most often it is people, either through lack of attention or ignorance, who are the weak link.

All these vulnerabilities have created opportunities for organized criminals with a financial motivation, which also use cyberspace for their traditional activities. Theft and illegal trade of sensitive data (personal data, intellectual property, R&D, business-strategic data, etc.), money extortion and laundering, sexual abuse, etc., are a very fast-growing segment of cybercriminality, which has become a true industry, constantly seeking to improve both its division of labor and its technology.

Targeted companies and legal actors are in a difficult defensive position. They are generally reluctant to communicate their problems, for fear of loss of reputation or of negative reactions from customers or stakeholders. Furthermore, effective cybersecurity requires huge investments, and securing just a link in the chain is not enough. Yet it seems that the cost of poor cybersecurity is still considered as bearable and that arbitration against cybersecurity spending persists.

Yet the worst may be still to come with the emergence of sabotage as a new frontier for cybercriminality, in particular with the emergence of intelligent transport systems, eHealth, smart grids, or the Internet of things. Indeed, technically, it is already feasible and possible (or it will be soon) to get control of some connected objects, or to disrupt elements of electricity distribution networks, water treatment plants, emergency services, and so forth.

Moreover, terrorists and jihadist organizations have swiftly recognized the benefits of using the Internet as a part of their arsenal. So far, however, despite scenarios in which sophisticated cyberterrorists break into critical infrastructures, they have not inflicted the kind of damage that would qualify them as cyberterrorism.

The Role of Governance, State Actors, and Transparency

States are mobilizing important resources for their cybersecurity activities that are both military and civilian, defensive and offensive.

In the military field, most states develop capabilities to back traditional military operations. A number of them—including several European countries —consider that offensive defense is not enough. Preparing for aggressive cyberwar which, unlike conventional war, is not subject to any rule or control, they include preemptive digital strikes in their global panoply. They are behind the most sophisticated cyberthreats, which involve a wide range of actions, from disinformation, vandalism, economic cybercriminality, espionage, to sabotage.

Involved military and intelligence services often hide their aggressive and malicious actions behind other malevolent actors. Beyond the potentially lower costs, the main advantage of leaving the attacks to informal cyber gangs is that states can deny their responsibility.

In the economic domain, all governments consider as their obligation to have capabilities to defend their domestic infrastructures and economy. Though this defensive approach is well in line with the protection role expected from the nation-state, it is mostly fulfilled by the private sector itself.

When it comes to the political dimension, the situation is different. While it is difficult to find nation-states that have a genuine policy of using their cyber capabilities to defend their civil society, it is extremely easy to find examples of states that are using their cyber capabilities to push their political agendas against civil societies, very often starting with their own. The life of active participants in civil society is thus becoming difficult, due to government pressure—generally justified in the name of the fight against terrorism—against the use by the public of protective technologies such as encryption and the lack of a basic regulation of cyberspace.

The activity of civil societies in cyberspace is largely relying on the openness of the Internet, which relies not only on the possibility of deploying new applications and services in a simple way and on the availability of cheap or free resources that can be easily assembled and set up, but also on the "open" and transparent governance of Internet.

As some actions (such as whistle-blowing for instance) are considered as illegitimate by existing powers, the supporting actors may need to be protected against nation-states, the most active enemies of civil societies in cyberspace. In most countries, however, governments and government agencies systematically attempt to delegitimize the right to use technologies such as encryption, supposedly because this would undermine the state's security. From this standpoint, the EU is developing a different approach that is addressed in the next sections.

The EU's Approach to Cybersecurity

The first overarching approach to cybersecurity in the EU was the European Cybersecurity Strategy, presented in February 2013, which announced three basic principles: The same core values, laws, and norms that apply in the physical world apply also in the cyber domain; the Internet is a public or collective good that should be available and accessible to all; the governance model for Internet should be democratic, and cybersecurity policy should be a shared and multistakeholder responsibility.

The strategy also defined five strategic priorities, which included establishing a coherent international cyberspace policy in order to promote core EU values (EU "cyber diplomacy"). Europe has in effect an ambition to be a normative global actor, capable of creating an effective and constructive culture of cybersecurity within and beyond the EU.

EU cybersecurity policy diverges both from policies pursued in EU member states and from policies that are being developed in the rest of the world in many important respects, in particular the nature of cyber power, the governance model, and respect for fundamental rights.

The EU, in conformity with its core norms and values, doesn't develop the kind of hard and offensive cyber power concept pursued by those states that approach the issue through the logic of national security and superiority. The EU approach is basically legalistic and protective. It focuses on soft power capabilities, i.e., building capacities that enable detection, response and recovery from sophisticated cyberthreats.

In the defense/military field, the EU is solely engaged in cyber self-protection and assured access to cyberspace to enable its operations and missions. Offensive capabilities, when they exist, are not developed or deployed under the EU banner.

Europe's is crucially different from the concept defined in the United States after the terrorist attacks on September 11, 2001, and with approaches carried on by other crucial state players, such as the Russian Federation, the People's Republic of China, all widely suspected of sponsoring various forms of cyberattacks for political purposes, together with the majority of individual EU member states, which do allocate significant budgets and personnel to developing cyberoffensive capabilities.

Governance Models

Governance models broadly oppose multistakeholder to governmental models. On one side, a number of non-European countries, such as the United States, Japan, Canada, and Australia, share with the EU the vision of multistakeholder governance. They consider that traditional top-down state-centered models are ill-suited to global, decentralized, publicly shared but largely privately developed communication networks. They do not agree, however, on the list of relevant stakeholders. While the EU recommends the inclusion of all players—from citizens to governments—the United States argues for a predominantly nongovernmental model with the strong participation of the business sector.

On the other side, the multistakeholder approach is highly contested by a number of countries, such as Russia, China, Iran, and India, which defend both a centralized and intergovernmental approach. Arguing that Western countries are holding too much power over the management of the Internet and that they themselves are underrepresented in the actual global Internet governance institutions, they plead in favor of much more governmental involvement in cyberspace, and they want the Internet to be governed at the international level by intergovernmental organizations.

The EU, given its unique features, has in theory the potential to be a model for other regions of the world, since it is a remarkable full-sized "institutional laboratory," which must constantly find compromises and trade-offs between contradictory actors, principles, instruments, and interests. The EU is also building a consistent and comprehensive governance model, with a decentralized structure in which different agencies and institutions are responsible for different aspects of the digital world, and political and legal control is exercised by two major institutional players: the EU Parliament and the European Court of Justice, which play an essential role in avoiding the capture of the regulatory game by economic lobbies, political leaders, or technological experts, thereby ensuring a balance between cybersecurity, public interest, and other legitimate economic, commercial, or regional interests, and the defense of citizens' rights and freedoms.

Fundamental Rights' Protection

In the cyber domain, the main difference between the EU and other approaches is the attention paid to respect for civil liberties and the rule of law, including international law, and to the promotion and defense of fundamental rights. While the EU, which cannot depart from the principles of the European Charter of Human Rights, is preoccupied with balancing cybersecurity with the protection of such rights, individual countries—both outside and inside Europe—are more ready to accept derogations for reasons of national security.

Indeed, to a large extent, EU cybersecurity policy has been a reactive rather than a proactive policy. Normative texts set up by the EU in the field of cybersecurity have often appeared as reactions to external circumstances. The successive revelations of US surveillance activities concerning European citizens, for instance, had an undisputable norm-productive effect. It brought the issue of rights and democracy under closer scrutiny, and increased pressure within the EU to ensure respect for European citizens' rights online, both domestically and abroad.

Conclusions

The digitalization of our societies creates new forms of vulnerability and new potential threats, as ill-intentioned people can relatively easily gain access both to sensitive information and to the operation of crucial services. Critical infrastructure systems are complex and therefore bound to contain weaknesses that might be exploited. Malevolent actors—which include states as well as criminals and terrorists —can at least in theory approach targets that would otherwise be utterly unassailable, such as power grids or air traffic control systems, that might be attacked to inflict human or material destruction. So far such cyberattacks have not killed people, but this could come in a relatively near future.

Such threats are addressed by cybersecurity policies whose effective implementation depends not only on state actions but also on public-private cooperation and on coordination between policy areas and international institutions, especially the EU. In recent years, the EU has been working to implement a consistent, balanced, and overarching cybersecurity strategy, built on internal resilience and its core values. The EU's declared ambition is to make its digital environment not only the most secure but also the most respectful of the citizens' fundamental rights in the world. This is a real challenge, given the difficulty of finding a satisfactory and sustainable balance between security, freedom, and protection of citizens' fundamental rights.

The EU objective of developing a cyber soft power privileging defense, resilience, and civil society sharply contrasts with national cybersecurity policies developed both inside and outside Europe. In Europe, where governments tend to play on emotional reactions to terrorist threats to support traditional national security approaches, some uncertainty remains over member state buy-in for such a common EU approach. In the rest of the world, major cyber players have different concepts, cultures, and logics on these matters, particularly regarding norms for cybersecurity behavior.

How to find compromises capable of satisfying these opposite exigencies (security and rights protection), which are complementary imperatives lying at the root basis of democratic systems? It is certainly wrong to regard the negative impact of communication technologies as uncontrollable, but also to imagine that one can bring them completely under control. Too much security kills security, and some policy responses to cyberthreats are just as worrying in the long term as the evils to which they pretend remedy.

Licenses and Attributions

Cybersecurity: The Case for a European Approach by Genevieve Schmeder and Emmanuel Darmois from openDemocracy is available under a Creative Commons Attribution-NonCommercial 4.0 International license. UMGC has modified this work and it is available under the original license.

NATO Cybersecurity Approaches

The North Atlantic Treaty Organization (NATO), established in 1949, is a 28-member international alliance whose purpose is to "...safeguard the security and freedom of its members through political and military means" (NATO, n.d.)."

Specifically, NATO

promotes democratic values and encourages consultation and cooperation on defense and security issues to build trust and, in the long term, prevent conflict

is committed to the peaceful resolution of disputes.

As an international organization with operational capacity, NATO has lagged in its approach to cybersecurity, although recent events indicate NATO's recognition of and commitment to cyber defense.

Since 2014—and, as agreed to by the allies at the NATO Summit that same year—NATO has established two cyberdefense priorities. The first is the protection of NATO's networks, which is made difficult due to the geographic span of the alliance, as well as the vastly different operational sites. The objective is to "...ensure that the communications and information systems that the Alliance relies upon for its operations and missions are protected against threats emanating from cyberspace" (Robinson, 2016).

The second priority is to help NATO member nations to develop their own cyberdefense capacity and capabilities, starting with the fundamentals of providing assistance in creating individual cyberdefense strategies. To that end, NATO offers education, training, and exercises to support member nation needs. It is important that each member nation raises the bar on its own cyberdefense capabilities because the alliance as a whole is only as strong as its weakest member nation (Robinson, 2016).

The maturation of NATO perspectives on cyberdefense continues to date, most recently marked by the June 2016 acknowledgement by NATO defense ministers that cyberspace is a domain of warfare. The announcement, made on the same day that the US Democratic National Committee announced that its networks had been hacked, appears to have been made in an effort to improve the security of member nation networks. "The effort is designed to bolster the Allies' cyberdefenses, but also will begin a debate over whether NATO should eventually use cyber weapons that can shut down enemy missiles and air defenses or destroy adversaries' computer networks" (Barnes, 2016).

References

Barnes, J. (2016, June 14). NATO recognizes cyberspace as new frontier in defense. The Wall Street Journal. Retrieved from http://www.wsj.com/articles/nato-to-recognize-cyberspace-as-new-frontier-in-defense-1465908566

NATO. (n.d.). What is NATO? Retrieved from http://www.nato.int/nato-welcome/index.html

Robinson, N. (2016). NATO: Changing gear on cyber defense. NATO Review. Retrieved from http://www.nato.int/docu/Review/2016/Also-in-2016/cyber-defense-nato-security-role/EN/index.htm

United Nations Cybersecurity Approaches

The United Nations (UN) was founded in 1945, and is currently composed of 193 member states. The mission of the UN is as follows:

maintain international peace and security

develop friendly relations among member nations based on respect for equal rights

achieve international cooperation in solving international problems

to be a center for harmonizing actions of nations in attaining common goals

The UN has been considering cybersecurity approaches since the late 1990s, when cybersecurity first appeared on the agenda of the UN General Assembly. Since that time, it has appeared on the agenda annually, with various resolutions offered, discussed, and often voted upon and passed.

Most of the resolutions in the past, however, have focused more on general agreement of the growing cybersecurity threat or emerging interest in understanding the role of the UN in relation to cybersecurity. Past cybersecurity discussions have been conducted under the title "developments in the field of information and telecommunications in the context of international security."

2014-15 marked a turning point in the UN's approach to cybersecurity, as it directed the establishment of a Group of Governmental Experts (GGEs) to study and make recommendations on cybersecurity. While this was not the first GGE to assemble and discuss this topic, this particular GGE worked for a year to develop a consensus report—one that was highly anticipated among UN members. "In the report, experts from 20 states agreed upon an impressive array of recommendations for confidence-building measures, capacity-building efforts, and voluntary, non-binding norms" (Korzak, 2015).

The 2014-15 GGE report focused on information and communications technology (ICT), which acknowledged the disturbing trends that threatened international peace and security. It also emphasized the importance of cooperation among member states to reduce risks posed by these threats. The group also examined applicable international laws and norms, noting that "...states should guarantee full respect for human rights, including privacy and freedom of expression" (GGE, 2015). The recommendations include the following (GGE, 2015):

States should not conduct or support ICT activity that damages or impairs critical infrastructure.

States should take appropriate measures to protect their critical infrastructure.

States should not harm the information systems of authorized emergency response teams—or use those teams—to engage in malicious international activity.

States should encourage reporting of ICT vulnerability, ensure the integrity of the supply chain, and prevent the proliferation of malicious ICT tools and techniques

While previous resolutions have "taken note" of the GGE report conclusions, the 2015 conclusions "...'calls upon' member states 'to be guided in their use of information and communications technologies'" (Korzak 2015). These conclusions marked a significant shift in the UN's prerogative of information security.

References

Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). (2015). UNGA A/70/174.

United Nations Charter. (n.d.). Purposes and principles. http://www.un.org/en/charter-united-nations/index.html

Korzak, E. (2015). Cybersecurity at the UN: another year, another GGE. Lawfare. Retrieved from https://www.lawfareblog.com/cybersecurity-un-another-year-another-gge

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!